<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Gerv, thanks for your suggestions on amending BR 9.16.3. I want to go through the existing language and new language to make sure it accomplished what you want to accomplish.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><u><span style="font-family:"Calibri",sans-serif">Recap of Recent Events<o:p></o:p></span></u></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif">First, a recap of recent events. FirmaProfessional reported on June 29 that Spanish law required certain modifications to Profiles and addition of private extensions
for certain Spanish civil servants, which apparently violated provisions of BR 7.1.4.2, but did not present any obvious security issues for users. FirmaProfessional said the law had been repealed, but asked what if anything should be done about issued certificates.
I offered my personal opinion that the certs were validly issued because BR Sec. 8.1 requires “</span><span style="font-family:"Calibri",sans-serif;color:windowtext">The CA SHALL at all times: 1. Issue Certificates and operate its PKI in accordance with all
law applicable to its business and the Certificates it issues in every jurisdiction in which it operates, ***” and this Sec. 8 provision is just as binding on CAs as BR 7.1.4.2.
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><u><span style="font-family:"Calibri",sans-serif;color:windowtext">Effect of Current BR 9.16.3<o:p></o:p></span></u></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><u><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext">This brings up the provisions of BR 9.16.3.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><b><span style="color:windowtext">9.16.3. Severability<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><u><span style="color:windowtext">If a court or government body with jurisdiction over the activities covered by these Requirements determines that the performance of any mandatory requirement
is illegal</span></u><span style="color:windowtext">, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws
of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Requirements accordingly.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext">Currently, BR 9.16.3 is extremely narrow – it only applies “<u>If a court or government body with jurisdiction over the activities covered by these Requirements determines
that the performance of any mandatory requirement is illegal</u> ***” at which point the BR provision will be “reformed” to make it valid and legal.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext">That will never happen – courts and government bodies won’t spend their time judging whether or not some provision of the BRs is “illegal” – they will simply pass their own
legal requirements that are mandatory on a CA, without commenting on or making any finding on the “legality” of any conflicting BR. So the rest of the sentence, “***
</span><span style="font-family:"Calibri",sans-serif;color:windowtext">then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal” will never happen either.</span><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext">Instead, the CA will face two conflicting sets of requirements – the local law, and the BRs. Both requirements have equal strength under the BRs (and in passing the related
audits). I suspect in most or all cases, the CA’s General Counsel will say “follow local law first.”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext">What that means is that in effect BR 9.16.3 will never come up or be relevant, and a CA will never be required under that provision to give notice to the Forum. With your
revisions (which are well worded), the CA will never have to list any “reformed” sections in its CPS because the BR sections will never be considered or reformed by “a court or government body with jurisdiction over the activities covered by these Requirements,”
unless a CA files a lawsuit. In the US, I don’t think the courts would entertain a lawsuit filed by the CA with no other parties involved, saying to the court “please reform this section of the BRs that is in conflict with the local law” – that’s not a function
of the courts, which will just say “Follow the law. You have no standing and no case. Case dismissed.” A CA can ask the government to change the local law so it’s no longer in conflict, but again, BR 9.16.3 would not apply if the law is changed, and no
notice will ever be given to the Forum even with your proposed edits.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext">I think the current BR 9.16.3 was garbled from typical contract language, which usually says (in essence) “If any provision of this contract is in violation with local law,
the offending language shall be deemed reformed in the minimum way possible so it complies with local law.” In other words, contract language always yields to local law, and without filing a court or administrative case. We could take that approach with
the BRs (as the contract that is automatically reformed) if desired. Browsers can always say “That reformed language presents a security risk – I will no longer trust the CA’s roots” if it wants through changes to its root program, as the browsers are not
subject to the BRs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif;color:windowtext">Alternate Approach<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext">If instead what you are after is a requirement that CAs report to the Forum all
<u>conflicts</u> (including but not limited to local law that makes compliance with a BR “illegal”) between local law and a mandatory BR requirement, then describe what the CA is doing about the conflict and propose possible modifications to the BR in question
to resolve the conflict, that would be easy to draft. And the CA could also be required to include a description of the conflict and how the CA is responding (generally by following local law, I predict) in its CPS at Sec. 9.16.3 - that also would be easy
to draft, and probably useful.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext">We could also make explicit what I said in the previous paragraph – amend the BRs so that if any mandatory BR is in conflict with local law, the BR is modified to the extent
necessary not to be in conflict with local law. In that case, the notice provisions would be very useful to tell users and browsers in what ways (and why) a CA is not complying with the BRs due to local law.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:windowtext">What would you think of this alternate approach to amending BR 9.16.3?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Gervase Markham<br>
<b>Sent:</b> Tuesday, July 19, 2016 5:32 AM<br>
<b>To:</b> CABFPub <public@cabforum.org><br>
<b>Subject:</b> [cabfpub] Reform of section 9.16.3<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><br>
<span style="color:#1F497D">*** </span>This seems like a good moment to revive the reform plan for 9.16.3, the<span style="color:#1F497D">
</span>text of which was helpfully contributed to by several people, including<span style="color:#1F497D">
</span>Kirk.<br>
<br>
The final text we came up with after the last discussion was:<br>
<b><br>
9.16.3. Severability</b> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.5pt">If a court or government body with jurisdiction over the activities covered by these Requirements determines that the performance of any mandatory
requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties
involved SHALL notify the CA / Browser Forum </span><u><span style="font-size:9.5pt;color:red">by sending a message to <a href="mailto:questions@cabforum.org" target="_blank">questions@cabforum.org</a> explaining</span></u><span style="font-size:9.5pt"> the
facts, circumstances, and law(s) involved, </span><u><span style="font-size:9.5pt;color:red">and receiving confirmation that it has been posted to the Public Mailing List and is indexed in the Public Mail Archives available at
<a href="https://cabforum.org/pipermail/public/" target="_blank">https://cabforum.org/pipermail/public/</a>,</span></u><span style="font-size:9.5pt;color:red"> </span><span style="font-size:9.5pt">so that the CA/Browser Forum may </span><u><span style="font-size:9.5pt;color:red">consider
possible revisions to these</span></u><span style="font-size:9.5pt"> Requirements accordingly.</span><o:p></o:p></p>
<p class="MsoNormal"><u><span style="font-size:9.5pt;color:red">A CA that issues a certificate under a requirement reformed through an action of a court or government body with jurisdiction SHALL list the reformed requirement in Section 9.16.3 of the CA’s CPS
prior to issuing a certificate and include (in Section 9.16.3 of the CA’s CPS) a reference to the law or government order requiring a reformation under this section.</span></u><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Any more comments before I prepare a ballot?<br>
<br>
Gerv<o:p></o:p></p>
</div>
</body>
</html>