RFC 3039 bis

Qualified Certificates Profile

Changes from RFC 3039

Issues

References and other minor editorial Subject DN attributes Scope Key usage qcStataments - mandatory use for QC and

criticality

Subject attributes

RFC 3039 text: The subject field SHALL contain an appropriate

subset of the following attributes: Other attributes may be present but MUST NOT

be necessary to distinguish the subject name from other subject names within the issuer domain.

Attributes under consideration: postalAddress (not supported by RFC 3280) Title (function/position within an organization)

Scope – The two ways

RFC 3039 way Profile for Qualified Certificates but scope is not

limited to that. RFC 3039 bis way?

Profile for ID certificates that also defines specific tools for QC

Scope RFC 3039

Abstract: This document forms a certificate profile for Qualified Certificates, based on RFC 2459, for use in the Internet. The term Qualified Certificate is used to describe a certificate with a certain qualified status within applicable governing law.

Section 2: The term "Qualified Certificate" has been used by the European Commission to describe a certain type of certificates with specific relevance for European legislation. This specification is intended to support this class of certificates, but its scope is not limited to this application.

Section 2: Within this standard the term "Qualified Certificate" is used more generally, describing the format for a certificate whose primary purpose is identifying a person with high level of assurance in public non-repudiation services. The actual mechanisms that will decide whether a certificate should or should not be considered to be a "Qualified Certificate" in regard to any legislation are outside the scope of this standard.

Scope – Reasons for change

Some functions of RFC 3039 are not specific to QC or “public non-repudiations services” biometricInfo Extension Issuer and Subject DN attribute set Attribute semantics definitions (PI definition) SubjectDirectory attributes

dateOfBirth; placeOfBirth; gender; countryOfCitizenship; and countryOfResidence.

Scope – RFC3039 bis 00.txt

Abstract: This document forms a certificate profile, based on RFC 3280, for identity certificates issued to physical persons.

Abstract: The profile defines specific conventions for certificates that are qualified within a defined legal framework, named Qualified Certificates. The profile does however not define any legal requirements for such Qualified Certificates.

Section 2: Within this standard the term "Qualified Certificate" is used generally, describing a certificate whose primary purpose is to identify a person with high level of assurance, where the certificate meet some qualification requirements defined by an applicable legal framework.

Key usage

RFC 3039 If the key usage nonRepudiation bit is asserted then it

SHOULD NOT be combined with any other key usage , i.e., if set, the key usage non-repudiation SHOULD be set exclusively.

RFC 3039bis 00.txt Key usage settings SHALL be set in accordance with RFC

3280 definitions. Further conventions for key usage setting MAY be defined by certificate policies and/or local legal regulations.

Motivation for change is highly dependent on scope

qcStatement Extension – mandatory use and criticality ETSI TS 101 862

Based on clear definition of QC as context for the standard

QC declaration through policy or qcStatement RFC 3039

No stipulation Proposal

RFC 3039 bis – no stripulation TS 101862 bis – Mandatory use of qcStatament,

May be critical