<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Cambria-Bold;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:622930767;
mso-list-template-ids:1490444566;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Was this what you are referring to?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
“I'm struggling to find this in the minutes, but if you'll recall, Gerv and I discussed various interpretations of this. For example, if a US CA were presented with an order to ignore domain validation and, say, issue a certificate for
<a href="http://www.google.com" target="_blank">www.google.com</a>, would the CA be argued to be in full compliance with the BRs for doing so? We discussed questions about what it meant for the Forum to be notified - is this a public mailing list, a management
list, etc. We discussed the hypothetical concern about government-issued gag notices as well.”<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If that’s what you are referring to, that in not in any way a convincing argument – the Spanish government has not ordered CAs to (1) ignore domain validation
or (2) issue a certificate for <a href="http://www.google.com">www.google.com</a>. Those are straw man arguments not relevant to the question that Chema Lopez posed to the Forum.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Refer back to Chema Lopez’s original explanation, pasted in here:<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in">
There was a law in Spain that regulates the profile for some specific certificates, i.e.:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Civil Servant or Public Employee (natural person certificate)<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Electronic Seal for Automated Administrative Action<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Electronic Office Certificate (SSL or EV for Public Administrations)<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in">
You can find the profiles attached (unfortunately only in Spanish).<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> The problem is that these profiles required private extensions in the SAN, and this conflicts BR and EV Guidelines. At least, crt.sh shows this extensions as an error.<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In what way would compliance with
<u>this particular law of Spain</u> harm Google or any user? <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Assuming there is no harm at all (which appears likely), on what basis would a browser insist that a CA violate the laws of its own country? Without a compelling,
proven security threat from compliance?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If browsers want to pick fights with EU governments, I guess they can, but it’s hard to see how it is justified or useful when the actual Spanish law in question
has no security impact. And the BRs and EVGL *<b>require</b>* CAs to comply with local law, so *<b>not</b>* complying with this Spanish law could put FirmaProfessional at risk of *<b>failing</b>* its next audit. I don’t think any browser wants to make that
happen.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">As for disclosure – well, you have your disclosure, so why are we wasting any more time on it?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In addition, there is an apparent conflict between BR Sec. 8 (which is also a *<b>mandatory</b>* requirement of the BRs, and requires CAs to comply with local
law), and whatever BR covers the profile issues in question (and does that section really prohibit what FirmaProfessional has done?). So which of the two mandatory BR requirement should the CA follow, BR Sec. 8 or the profile section? I would say follow
local law unless it creates some proven, measurable security issue for users, like your hypotheticals above would.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Plus, BR 9.16.3 only applies “to any mandatory requirement that is illegal”. Are there any profile requirements in the BRs that are “illegal” under Spanish law?
So does BR 9.16.3 even apply?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-family:"Cambria-Bold",serif">BR 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">The CA SHALL at all times:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">1. Issue Certificates and operate its PKI in accordance with all law applicable to its business and the Certificates it issues in every jurisdiction
in which it operates; ***<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-family:"Cambria-Bold",serif"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-family:"Cambria-Bold",serif">BR 9.16.3. Severability<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Cambria",serif">If a court or government body with jurisdiction over the activities covered by these Requirements determines that the performance of any mandatory requirement is illegal, then such
requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA
/ Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Requirements accordingly.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Sleevi [mailto:sleevi@google.com]
<br>
<b>Sent:</b> Friday, July 15, 2016 5:07 PM<br>
<b>To:</b> Kirk Hall <Kirk.Hall@entrust.com><br>
<b>Cc:</b> Dean Coclin <Dean_Coclin@symantec.com>; Chema Lopez <clopez@firmaprofesional.com>; public@cabforum.org<br>
<b>Subject:</b> Re: [cabfpub] SAN private extensions pursuant specific SSL/EV Spanish ruled profile<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Fri, Jul 15, 2016 at 5:03 PM, Kirk Hall <<a href="mailto:Kirk.Hall@entrust.com" target="_blank">Kirk.Hall@entrust.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Why do browsers need this kind of information to be disclosed to them? What difference does it make
to a browser? Seems like the information is not directed at the browsers.</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Could you re-read the message you're replying to and let me know what part confused you? I discussed a very real, very practical concern - one that we've discussed in person and on the list before.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Perhaps this is why it's important to keep good minutes, since we seem to keep rehashing things.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In any case, the existing BR and EVGL rules don’t require disclosure, they just require compliance
with local law, which is appropriate.</span><o:p></o:p></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Could you re-read the BRs and explain to me why you don't feel it requires disclosure? In particular, please read the statement beginning with "The parties involved SHALL notify the CA / Browser Forum". It would be useful to understand
why you don't believe this represents an obligation for disclosure.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Sleevi [mailto:<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>]
<br>
<b>Sent:</b> Friday, July 15, 2016 3:53 PM<br>
<b>To:</b> Kirk Hall <<a href="mailto:Kirk.Hall@entrust.com" target="_blank">Kirk.Hall@entrust.com</a>><br>
<b>Cc:</b> Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>>; Chema Lopez <<a href="mailto:clopez@firmaprofesional.com" target="_blank">clopez@firmaprofesional.com</a>>;
<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] SAN private extensions pursuant specific SSL/EV Spanish ruled profile</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Thu, Jul 14, 2016 at 11:08 AM, Kirk Hall <<a href="mailto:Kirk.Hall@entrust.com" target="_blank">Kirk.Hall@entrust.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">To my mind, the provisions of BR Sec. 8 and 9.16.3, and EVGL Sec. 8.1, could be interpreted as allowing the laws and regulations of Spain concerning certificate profiles and content
to override the requirements of the BRs and EVGL. </span><o:p></o:p></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Accordingly, there may be no need for Spanish CAs to do anything differently as to the earlier certs – they can assert to their auditors that Spanish law and regulation is allowed
to control on this issue, and so they are in full compliance because of BR Sec. 8 and 9.16.3, and EVGL Sec. 8.1. See below.</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">However, as we discussed in person at the CA/B Forum meeting in Scottsdale, there is an obligation of CAs to disclose these regulations so that the Forum can be so informed.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">While Chema has now done this (and Inigo had previously), it can't be argued these are apriori conforming and in full compliance.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I'm struggling to find this in the minutes, but if you'll recall, Gerv and I discussed various interpretations of this. For example, if a US CA were presented with an order to ignore
domain validation and, say, issue a certificate for <a href="http://www.google.com" target="_blank">
www.google.com</a>, would the CA be argued to be in full compliance with the BRs for doing so? We discussed questions about what it meant for the Forum to be notified - is this a public mailing list, a management list, etc. We discussed the hypothetical concern
about government-issued gag notices as well.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Unfortunately, none of this was minuted. However, thankfully Gerv sent a public mail shortly thereafter, which at least helps me make sure I'm not misremembering things (although
I could totally be missing where it appears on the minutes in <a href="https://cabforum.org/2016/02/17/2016-02-17-minutes-of-f2f-meeting-37/" target="_blank">
https://cabforum.org/2016/02/17/2016-02-17-minutes-of-f2f-meeting-37/</a> ) - but you can read the thread at <a href="https://cabforum.org/pipermail/public/2016-April/007465.html" target="_blank">https://cabforum.org/pipermail/public/2016-April/007465.html</a><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>