<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Kirk, we support your proposal and maybe the first sentence of
(1) should be slightly modified (replaced "order" wit "act" and
added "to" before the trailing comma):</p>
<p>"In the event of a conflict between these Requirements and the
laws or government act of any jurisdiction in which a CA operates
or issues certificates to, <...>".</p>
<p>Thanks,</p>
<p>M.D.<br>
</p>
<div class="moz-cite-prefix">On 7/20/2016 7:24 PM, Kirk Hall wrote:<br>
</div>
<blockquote
cite="mid:2ac500f6bc3b4241b40804ba7932efde@PMSPEX04.corporate.datacard.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoPlainText">How about something like the following?
It will let CAs comply with applicable law (and avoid the
current conflict between BR Sec. 8 and other provisions), give
immediate notice to users and browsers before implementing a
modification to the BRs or EVGL. Of course, if a browser
believes the modification poses a security hazard, it can take
action on its own as it sees fit - including "breaking" certs
with the modification, treating the certs as untrusted,
removing the CA's roots from the browser root store, etc. And
if a CA modifies the Requirements without telling everyone
(i.e., without complying with BR 9.16.3), that by itself is a
separate WebTrust/ETSI audit breach.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">9.16.3.
Severability <o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">In the event of
a conflict between these Requirements and the laws or
government order of any jurisdiction in which a CA operates or
issues certificates, a CA may modify such requirements to the
minimum extent necessary to make the requirements valid and
legal in the jurisdiction. This applies only to operations or
certificate issuances that are subject to the laws of that
jurisdiction. In such event, the CA shall immediately (and
prior to issuing a certificate under the modified
requirements):<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:1.0in">(1)
Notify the CA/Browser Forum by sending a message to
<a class="moz-txt-link-abbreviated" href="mailto:questions@cabforum.org">questions@cabforum.org</a> and receiving confirmation that it has
been posted to the Public Mailing List and is indexed in the
Public Mail Archives available at
<a class="moz-txt-link-freetext" href="https://cabforum.org/pipermail/public/">https://cabforum.org/pipermail/public/</a> (or such other email
addresses and links as the Forum may designate), and<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:1.0in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:1.0in">(2)
Include in Section 9.16.3 of the CA’s CPS
<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">a detailed
reference to the law or government order requiring a
modification of these Requirements under this section and the
specific modification of these Requirements implemented by the
CA, so that the CA/Browser Forum may consider possible
revisions to these Requirements accordingly. Any modification
of these Requirements must be discontinued at such time as the
laws or government order no longer apply, and similar notice
to the CA/Browser Forum and modifications to the CA’s CPS must
be made at that time.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Gervase Markham [<a class="moz-txt-link-freetext" href="mailto:gerv@mozilla.org">mailto:gerv@mozilla.org</a>] <br>
Sent: Wednesday, July 20, 2016 2:01 AM<br>
To: Kirk Hall <a class="moz-txt-link-rfc2396E" href="mailto:Kirk.Hall@entrust.com"><Kirk.Hall@entrust.com></a>; 'CABFPub'
<a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
Subject: Re: [cabfpub] Reform of section 9.16.3</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On 20/07/16 01:17, Kirk Hall wrote:<o:p></o:p></p>
<p class="MsoPlainText">> If instead what you are after is a
requirement that CAs report to the
<o:p></o:p></p>
<p class="MsoPlainText">> Forum all _conflicts_ (including
but not limited to local law that
<o:p></o:p></p>
<p class="MsoPlainText">> makes compliance with a BR
“illegal”) between local law and a
<o:p></o:p></p>
<p class="MsoPlainText">> mandatory BR requirement, then
describe what the CA is doing about the
<o:p></o:p></p>
<p class="MsoPlainText">> conflict and propose possible
modifications to the BR in question to
<o:p></o:p></p>
<p class="MsoPlainText">> resolve the conflict, that would be
easy to draft. And the CA could
<o:p></o:p></p>
<p class="MsoPlainText">> also be required to include a
description of the conflict and how the
<o:p></o:p></p>
<p class="MsoPlainText">> CA is responding (generally by
following local law, I predict) in its
<o:p></o:p></p>
<p class="MsoPlainText">> CPS at Sec. 9.16.3 - that also
would be easy to draft, and probably useful.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I follow your argument, and it makes
sense to me. Yes, I think this is what we want. If the CA does
not follow, or "modifies", a section of the BRs in order to
comply with local law, they should explain what they have
done, and how they are trying to meet the spirit of that BR
requirement as much as possible. Invoking courts or local
authorities does indeed make little sense, as they are not
going to specifically rule on bits of the BRs.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> What would you think of this
alternate approach to amending BR 9.16.3?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I'd be very pleased if you were to draft
something, and then we could throw it into the discussion.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Gerv<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>