<div dir="ltr">Gerv,<div><br></div><div>Putting on my "How might I look for loopholes in this language", it's possible to conceive of an evil insider/collaborator attack (whether malicious, state sponsored, accidental, or otherwise) with respect to the "receiving confirmation of the receipt of the message" portion.</div><div><br></div><div>Perhaps this is over-thinking it, but how would you feel about "receiving confirmation that it has been posted to the Public Mailing List and is indexed in the Public Mail Archives available at <a href="https://cabforum.org/pipermail/public/">https://cabforum.org/pipermail/public/</a> , so that ..."</div><div><br></div><div>This accomplishes several things:</div><div>1) It ensures that such disclosures, if any, receive public attention, rather than just the CA/Browser Forum's internal lists and membership</div><div>2) It moves from "receiving confirmation" (which can be interpreted as, say, the next-hop SMTP server acknowledging receipt, but never forwarding to the CA/B Forum list) into something that can be objectively quantified over a secured medium (assuming a certificate for <a href="http://cabforum.org">cabforum.org</a> is not misissued)</div><div>3) It removes ambiguity as to who is responsible to confirm (can the member themselves confirm, if they are a member? Does the Chair confirm? Does the questions answerer confirm?)</div><div>4) It allows the flexibility for the member to themselves forward from the questions@ list to the public list, reducing the latency involved and giving greater flexibility, while still accomplishing the necessary transparency goal</div><div><br></div><div>I realize this is fairly pedantic, but certainly, transparency and robustness seem useful, and it doesn't seem significantly more onerous. What do you think?<br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 27, 2016 at 9:38 AM, Gervase Markham <span dir="ltr"><<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p class="gmail-MsoNormal">Hi everyone,</p>
<p class="gmail-MsoNormal">At the last CAB
Forum meeting, we had a discussion about BRs section 9.16.3, and
the possibility that it allows CAs to violate the BRs without
appropriate notification. After the CAB Forum meeting, the
following amendment (which I have tweaked) was helpfully suggested
by one participant in the conversation The aim is to bring
transparency, so anyone in violation under this clause is at least
documented, and we can consider revisions to the BRs accordingly.</p>
<p class="gmail-MsoNormal">What do people
think?<br>
</p>
<p class="gmail-MsoNormal">Gerv</p>
<p class="gmail-MsoNormal"><br>
</p>
<p class="gmail-MsoNormal"><b>9.16.3.
Severability<u></u><u></u></b></p>
<p class="gmail-MsoNormal">If a court or
government body with jurisdiction over the activities covered by
these Requirements determines that the performance of any
mandatory requirement is illegal, then such requirement is
considered reformed to the minimum extent necessary to make the
requirement valid and legal. This applies only to operations or
certificate issuances that are subject to the laws of that
jurisdiction. The parties involved SHALL notify the CA / Browser
Forum <u><span style="color:red">by sending a detailed message to
<a href="mailto:questions@cabforum.org">questions@cabforum.org</a>
</span> </u>of the facts, circumstances, and law(s) involved, <span style="color:red"><u>and receiving confirmation of the receipt
of the message by the CA/Browser Forum,</u> </span>so that
the CA/Browser Forum may <u><font color="#ff0000">consider
possible revisions to these</font></u> Requirements
accordingly.<u></u><u></u></p>
<u><span style="color:red">Any CA that wants to deviate from any
mandatory requirement of these Requirements as written on the
basis of this Section 9.16.3 must list all such non-conformity
(including a reference to the specific Requirement(s) subject to
deviation) in Section 9.16.3 of the CA’s CPS before deviating
from the Requirement(s), and include in such disclosure the
facts, circumstances, and law(s) involved. </span></u>
</div>
<br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div></div></div>