[cabfcert_policy] Defining severability exceptions as public

Eric Mill eric at konklone.com
Fri Dec 18 11:51:46 MST 2015 

This only came up in passing during yesterday's call, but someone mentioned
that if a CA necessarily must allow local law to override a portion of the
Baseline Requirements, it has the obligation to notify the CA/B Forum of
the details.

This is expressed in the Baseline Requirements under "Severability", at the
very bottom of the document:

> If a court or government body with jurisdiction over the activities
covered by these Requirements determines that the performance of any
mandatory requirement is illegal, then such requirement is considered
reformed to the minimum extent necessary to make the requirement valid and
legal. This applies only to operations or certificate issuances that are
subject to the laws of that jurisdiction. The parties involved SHALL notify
the CA / Browser Forum of the facts, circumstances, and law(s) involved, so
that the CA/Browser Forum may revise these Requirements accordingly.

This generally makes sense, but I have a few questions:

* Has this ever occurred? (One person on the call said never to his
knowledge.)
* Is there an established path for a CA to report an instance of this to
the CA/B Forum?
* Should CAs be expected to make the facts and circumstances public
(potentially just by reporting it to the CA/B Forum's public list)?

My immediate reaction is that since this essentially allows for CA-specific
exceptions to the Baseline requirements, any exceptions should be publicly
documented.

What do folks think of adding the word "publicly" to this section? This
would look like:

> If a court or government body with jurisdiction over the activities
covered by these Requirements determines that the performance of any
mandatory requirement is illegal, then such requirement is considered
reformed to the minimum extent necessary to make the requirement valid and
legal. This applies only to operations or certificate issuances that are
subject to the laws of that jurisdiction. The parties involved SHALL
*publicly* notify the CA / Browser Forum of the facts, circumstances, and
law(s) involved, so that the CA/Browser Forum may revise these Requirements
accordingly.

Following this could be as simple as having the CA post to the CA/B Forum's
public list, and the CA/B Forum post the details to a predictable location
(perhaps a Markdown file in the CABF's GitHub organization, or a permalink
on cabforum.org).

Since this is a rare event, it shouldn't add any substantial burden to the
CA or the CABF, but it does ensure that in the event of a CA being forced
to operate outside of the Baseline Requirements in some defined capacity
(even if this as a temporary situation as CABF considers updating the BRs),
this is as public as the Baseline Requirements are themselves.

-- Eric

-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20151218/98a48561/attachment.html

More information about the Policyreview mailing list