<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Cambria">+1.<br>
<br>
Thanks,<br>
M.D.<br>
</font><br>
<div class="moz-cite-prefix">On 3/6/2017 8:37 AM, Kirk Hall via
Public wrote:<br>
</div>
<blockquote
cite="mid:9df01c33fe8142e885a8726e2dcb8287@PMSPEX04.corporate.datacard.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
disagree.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">BR
9.16.3 was intended to let applicable law supersede the BRs
(of course), and therefore the WebTrust / ETSI audit
standards for the BRs as well, so that a CA that is
following applicable law (which we all must do) will NOT
receive a qualified audit, so long as the CA calls out the
divergence from the BRs due to applicable law – that’s the
point of BR 9.16.3. The resulting audit (so long as it
notes this divergence due to local law) should be
unqualified, not qualified. In my opinion, any other
interpretation is dead wrong.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Take
a look at all of our Terms of Service / User Agreements,
etc. They typically say that in the event of a conflict
between local law and the terms of our agreement, local law
will prevail (i.e., the agreement will be modified to the
minimum extent necessary to comply with local law). If you
don’t believe me, please consult with your own legal
departments to confirm.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The
same should apply to the BRs and the WebTrust / ETSI BR
requirements – they must be reformed (waived, modified) to
the extent necessary to comply with local law, so long as
the modification is called out to the public. Anything else
is picking a fight with governments for no good reason.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Why
don’t we ask the WebTrust / ETSI auditors how they recommend
we deal with conflicts between the BRs and applicable law?
They are the experts on audit processes – not the rest of
us.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Ryan Sleevi [<a class="moz-txt-link-freetext" href="mailto:sleevi@google.com">mailto:sleevi@google.com</a>]
<br>
<b>Sent:</b> Sunday, March 5, 2017 6:08 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
<b>Cc:</b> Peter Bowen <a class="moz-txt-link-rfc2396E" href="mailto:pzb@amzn.com"><pzb@amzn.com></a>; Kirk Hall
<a class="moz-txt-link-rfc2396E" href="mailto:Kirk.Hall@entrustdatacard.com"><Kirk.Hall@entrustdatacard.com></a><br>
<b>Subject:</b> Re: [cabfpub] Naming rules<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Sun, Mar 5, 2017 at 5:18 PM, Kirk
Hall via Public <<a moz-do-not-send="true"
href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">+1. Seems like a good resolution
to me - full disclosure to users and browsers,
deference to local law where applicable as provided in
BR 9.16.3 (local users are probably already used to
any local customs on naming rules), and avoids the
need for the Forum to try to understand and
approve/disapprove local naming rules one by one.
Allows auditors to complete successful audits with
disclosure, and the trust list maintainers receive
notice and can make their own decisions.<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think it's worth pointing out,
again, that deference to local law, as you suggested,
only applies in exceptionally limited cases - and on
the basis of the provided evidence, does not apply.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think this is crucial for the
Forum's members - and auditors who may be following -
to understand and appreciate. <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>