On Thu, Apr 18, 2019 at 9:56 AM Sándor dr. Szőke via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Thank you for the valuable information. > > > I try to summarize the possibilities to issue PSD2 QWAC certificates. > > - If a CA issues PSD2 QWAC certificate now, it SHALL NOT include the CABF > EV CPOID in it, but instead of that the certificate should contain the CABF > OV CPOID value. > More clearly: It shall not contain any CP OID that indicates that the certificate will comply with the EV Guidelines. In practice, this specifically means the CABF EV CP OID and any other CP OIDs that may be specific to the CA which it has EV enabled. > - If the CA issues PSD2 QWAC certificate with CABF OV CPOID, the issuing > CA can not be EV enabled by the browsers and it will never be EV enabled > because it has already issued not EVG compliant certificate (is it > correct?). > Ish. Issuing CAs can issue both OV and EV certificates; what matters is what OIDs are used and if and whether they will be enabled for EV treatment. As such, provided that the OID used for the PSD2 QWAC is not an OID enabled for EV treatment, and provided that the CA's CP/CPS does not indicate that the particular OID used for the PSD2 QWAC complies with the CA/Browser Forum's EV Guidelines, then that should be acceptable. > - If the Ballot SC17 will be accepted it will be possible to issue PSD2 > QWAC certificate with the CABF EV CPOID in it, so the issuer CA can be EV > enabled AND EU Qualified at the same time. > Ish. Note that SC17 does make some modifications to address the concerns that were raised with ETSI ESI, which ETSI ESI declined to address. As a consequence, if Ballot SC17 passes, then certificates MAY be issued that comply with the profile restriction specified in the EV Guidelines by SC17, and such profile MAY be compatible with PSD2 QWAC. Put differently: If you comply ONLY with PSD2 QWAC, then NO. If you comply with the profile in SC17, which MAY comply with (be a super-set of) the profile in PSD2 QWACs, then yes. > As a consequence, > - if a CA issues PSD2 certificate now, it shall set up new intermediate > CA-s for the issuance of EV certificates which shall be audited and asked > for the EV enabled status > This doesn't follow. Intermediate CAs are not enabled for EV, the root CA is, based on the root CA's CP/CPS and stated policies (and associated audits). From the perspective of audits based on ETSI EN 319 411-1 / 319 411-2, an ETSI auditor MUST NOT indicate that a TSP has complied with the EV Guidelines for a particular CP OID if that particular CP OID has been used to issue PSD2 QWACs. Audit reports that (incorrectly) indicate such SHOULD be rejected by browsers as not meeting the requirements of browser root programs. However, a TSP MAY be able obtain an audit indicating their PSD2 QWAC CP OID complies with 319 411-2 as modified by TS 119 495, thus meeting the obligations of PSD2 QWACs, while only meeting the assurance level of the CA/Browser Forum's OV CP, and indicate a *separate* OID complies with 319 411-2 and the CA/Browser Forum's EV Guidelines. A PSD2 QWAC certificate MUST NOT contain the latter EV OID unless and until SC17 has been adopted. However, PSD2 QWACs can be issued with ONLY the former OID - indicating it's a PSD2 QWAC but a CABF OV - until then. Hopefully that made sense? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
