RFC 3039 bis

1
RFC 3039 bis

• Qualified Certificates Profile
• Changes from RFC 3039

2
Issues

• References and other minor editorial
• Subject DN attributes
• Scope
• Key usage
• qcStataments - mandatory use for QC and
  criticality

3
Subject attributes

• RFC 3039 text
• The subject field SHALL contain an appropriate
  subset of the following attributes
• Other attributes may be present but MUST NOT be
  necessary to distinguish the subject name from
  other subject names within the issuer domain.
• Attributes under consideration
• postalAddress (not supported by RFC 3280)
• Title (function/position within an organization)

4
Scope The two ways

• RFC 3039 way
• Profile for Qualified Certificates but scope is
  not limited to that.
• RFC 3039 bis way?
• Profile for ID certificates that also defines
  specific tools for QC

5
Scope RFC 3039

• Abstract This document forms a certificate
  profile for Qualified Certificates, based on RFC
  2459, for use in the Internet. The term Qualified
  Certificate is used to describe a certificate
  with a certain qualified status within applicable
  governing law.
• Section 2 The term "Qualified Certificate" has
  been used by the European Commission to describe
  a certain type of certificates with specific
  relevance for European legislation. This
  specification is intended to support this class
  of certificates, but its scope is not limited to
  this application.
• Section 2 Within this standard the term
  "Qualified Certificate" is used more generally,
  describing the format for a certificate whose
  primary purpose is identifying a person with high
  level of assurance in public non-repudiation
  services. The actual mechanisms that will decide
  whether a certificate should or should not be
  considered to be a "Qualified Certificate" in
  regard to any legislation are outside the scope
  of this standard.

6
Scope Reasons for change

• Some functions of RFC 3039 are not specific to QC
  or public non-repudiations services
• biometricInfo Extension
• Issuer and Subject DN attribute set
• Attribute semantics definitions (PI definition)
• SubjectDirectory attributes
• dateOfBirth placeOfBirth gender
  countryOfCitizenship and countryOfResidence.

7
Scope RFC3039 bis 00.txt

• Abstract This document forms a certificate
  profile, based on RFC 3280, for identity
  certificates issued to physical persons.
• Abstract The profile defines specific
  conventions for certificates that are qualified
  within a defined legal framework, named Qualified
  Certificates. The profile does however not define
  any legal requirements for such Qualified
  Certificates.
• Section 2 Within this standard the term
  "Qualified Certificate" is used generally,
  describing a certificate whose primary purpose is
  to identify a person with high level of
  assurance, where the certificate meet some
  qualification requirements defined by an
  applicable legal framework.

8
Key usage

• RFC 3039
• If the key usage nonRepudiation bit is asserted
  then it SHOULD NOT be combined with any other key
  usage , i.e., if set, the key usage
  non-repudiation SHOULD be set exclusively.
• RFC 3039bis 00.txt
• Key usage settings SHALL be set in accordance
  with RFC 3280 definitions. Further conventions
  for key usage setting MAY be defined by
  certificate policies and/or local legal
  regulations.
• Motivation for change is highly dependent on scope

9
qcStatement Extension mandatory use and
criticality

• ETSI TS 101 862
• Based on clear definition of QC as context for
  the standard
• QC declaration through policy or qcStatement
• RFC 3039
• No stipulation
• Proposal
• RFC 3039 bis no stripulation
• TS 101862 bis Mandatory use of qcStatament, May
  be critical