FNMT: QC Statement that contains at least one of the ETSI ESI statements
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: michel, Assigned: alain)
Details
(Whiteboard: [ca-compliance] )
Hello,
I found 21 precertificates issued by AC Componentes Informáticos that have the Checks that a QC Statement that contains at least one of the ETSI ESI statements, also features the set of mandatory ETSI ESI QC statements zlint error:
https://crt.sh/?zlint=1193&iCAID=1488
|
||
Comment 1•5 years ago
|
||
Angel: please provide an incident report as described here.
First of all, please be informed that on 28/03/2020 we took the necessary steps to stop issuing SSL certificates from AC Componentes Informaticos until we fully analyse the issue.
We believe this Zlint error is related to the incorporation of some QcStatements to “non-qualified certificates”. If this was not the issue, please let us know.
Our understanding is that we may issue OVCP certificates with the following QC Statements we are in fact including:
Generic QC Statements which may be used with any applicable regulatory framework:
- (esi4-qcStatement-3) 0.4.0.1862.1.3 - qcs-QcRetentionPeriod – The Spanish legislation establishes a 15 year retention period.
- (esi4-qcStatement-5) 0.4.0.1862.1.5 - qcs-QcPDS – Holds a URL to PDS in accordance with Annex A of ETSI EN 319 411-1 which applies also to non-qualified certificates.
QC Statements claiming compliance with specific legislation:
- (esi4-qcStatement-6) 0.4.0.1862.1.6.3 - qct-web. When used on its own it indicates that it is used for the purposes of web sites for "non-qualified certificates" within the context of Regulation (EU) No 910/2014 [i.8]. Also, as per draft ETSI EN 319 412-5 v2.2.3 2020-01 (paragraph 4.2.3) this seems it may be updated to “…..for non-qualified certificates within a legislative context, which may be indicated by the esi4-qcStatement-7 (id-etsi-qcs-QcCClegislation)”
Am I missing any other BR requirement in this regard? We await for your feedback regarding this matter.
Thank you.
|
||
Comment 3•5 years ago
|
||
alain: Thanks for prompt confirmation that you've temporarily suspended issuance, and your added detail.
I think your analysis is correct, as I recently expanded upon in a ZLint PR. That is, I believe there's a ZLint bug here, as the ETSI ESI QCStatements may be used in non-qualified certificates, and thus not subject to the requirements of ETSI EN 319 412-2
I've filed a bug in ZLint for this.
Thanks Ryan, we therefore understand that we can resume issuing certificates
|
|
||
Comment 5•5 years ago
|
||
I believe that’s correct, but I haven’t analyzed all of the certificates you’ve issued.
Could you clarify your certificate profile(s) and which QCStatements you include and when? I’ll double check and RESOLVED/INVALID this if it does look to be compliant.
The AC Componentes informaticos certificate profile for OVCPs which includes the referred QCStatements was implemented in January 3, 2017
The included QCStatements are:
OBJECT IDENTIFIER 1.3.6.1.5.5.7.1.3 [PKIX private extension: qcStatements]
OCTET STRING(1 elem)
SEQUENCE(3 elem)
SEQUENCE(2 elem)
OBJECT IDENTIFIER 0.4.0.1862.1.3 [ETSI TS 101 862 qualified certificates: etsiQcsRetentionPeriod]
INTEGER15
SEQUENCE(2 elem)
OBJECT IDENTIFIER 0.4.0.1862.1.6
SEQUENCE(1 elem)
OBJECT IDENTIFIER 0.4.0.1862.1.6.3
SEQUENCE(2 elem)
OBJECT IDENTIFIER 0.4.0.1862.1.5
SEQUENCE(2 elem)
SEQUENCE(2 elem)
IA5Stringhttps://www.cert.fnmt.es/pds/PDS_COMP_es.pdf
PrintableStringes
SEQUENCE(2 elem)
IA5Stringhttps://www.cert.fnmt.es/pds/PDS_COMP_en.pdf
PrintableStringen
Thanks¡¡
|
|
||
Comment 7•5 years ago
|
||
Thanks for confirming that 100% of the certificates match that profile.
I agree, that the use of these QCStatements does not imply a Qualified certificate, and thus does not imply a violation of ETSI EN 319 412-5 / ETSI EN 319 411-2
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•7 months ago
|
Description
•