Nelson B Bolyard wrote: > István Zsolt BERTA wrote, On 2008-10-06 06:54:
>> We had good reasons to choose this solution. According to Hungarian >> regulations, a qualified CA is allowed to use its private key for the >> following two purposes only: >> * signing qualified end-user certificates and >> * signing CRLs. >> As neither 'signing OCSP responses', nor 'singing OCSP responder >> certificates' is listed here, we were not allowed to support options 1 >> and 3 marked in RFC 2560, so only option 2 remained. > > According to Indiana legislation, at one time, the value of pi was 3.2. :) > My point is that it is unfortunate if Hungarian law/regulation prohibits > Hungarian CAs from using OCSP in a way that is useful for the general > populace of the Internet, but the rest of the internet is not likely to > change its software to accommodate those unfortunate regulations. Istvan, would it be possible to take the position that "signing CRLs" is equivalent to signing OCSP responses or OCSP certificates? They are both for the same end-result, getting the CR(L) to the user. If the implementation details differ slightly, the legislation is not likely to stand in the way. I imagine that if you wanted, Mozo would provide documentation that could back up the position. >> Unrecognized extensions: >> ------------------------ > >> The QCStatement extension is *NOT* critical in our certificates. > >> Webserver and code signing certificates are generally non-qualified, >> so they are not affected by this issue. > > In bug 277797, a representative of a Hungarian CA claims that their > SSL server certs ARE qualified certs. If that is still true > (and it may not be, since that bug is a couple years old), then it > cannot be said that web server certs are generally non-qualified. Yes, true. As I understand it, it was the intention of the directive that only human persons be the holders of qualified certificates. However when the CAs, industry and govt. departments started working with them, they discovered problems with this limitation. Different countries approached the problems in different ways. In some countries, I gather, qualified certs can be issued outside the strict intent of the directive. However, it may still be reasonable for Mozilla to implement a client-cert-only profile for EV. iang
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
