Again, I hope this is the right place to ask.
Currently Peruvian law is allowing any CA certificate to be included in their TSL (ETSI TS 102 231), but these inclusions have to be requested. So the thing is this, we are COMODO’s custom client certificates resellers and we want our certificates to be recognized in the Peruvian TSL Scheme, so we have to request to our TSL Scheme operator to include the right CA certificate. My question is which one would be the right one:
Currently from Windows Certificate Store I can see this certification path:
- AddTrust External CA Root
- UTN-USERFirst-Client Authentication and Email
- COMODO Client Authentication and Secure Email CA
- End entity Custom Client Certificate
So, what would be the right one? Should be the root? Or just the inmediate intermediate CA?
Anyone familiar with ETSI TS 102 231??
I just found the answer. The inmediate intermediate CA should be included in the TSL (ETSI TS 102 231).
Is is clearly stated in “COMMISSION DECISION 2009/767/EC ANNEX 2.3”. Quoting:
As a general default principle, for a listed CSP in the Trusted List there must be one service entry per single X.509v3 certificate for a CA/QC type certification service, i.e. a Certification Authority (directly) issuing QCs. In some carefully envisaged circumstances and carefully managed conditions, a Member State Supervisory Body/Accreditation Body may decide to use the X.509v3 certificate of a Root or Upper level CA (i.e. a Certification Authority not directly issuing end-entity QCs but certifying a hierarchy of CAs down to CAs issuing QCs to end-entities) as the Sdi of a single entry in the list of services from a listed CSP. The consequences (advantages and disadvantages) of using such X.509v3 Root CA or Upper CA as Sdi values of TL services entries must be carefully considered and endorsed by Member States. Moreover, when using this authorized exception to the default principle, Member State must provide the necessary documentation to facilitate certification path building and verification.