[cabfcert_policy] Defining severability exceptions as public

Eric Mill eric at konklone.com
Tue Jan 5 08:54:41 MST 2016 

No thoughts on this suggestion? For as long as this email was, I am
suggesting a one-word change to the BRs.

-- Eric

On Fri, Dec 18, 2015 at 1:51 PM, Eric Mill <eric at konklone.com> wrote:

> This only came up in passing during yesterday's call, but someone
> mentioned that if a CA necessarily must allow local law to override a
> portion of the Baseline Requirements, it has the obligation to notify the
> CA/B Forum of the details.
>
> This is expressed in the Baseline Requirements under "Severability", at
> the very bottom of the document:
>
> > If a court or government body with jurisdiction over the activities
> covered by these Requirements determines that the performance of any
> mandatory requirement is illegal, then such requirement is considered
> reformed to the minimum extent necessary to make the requirement valid and
> legal. This applies only to operations or certificate issuances that are
> subject to the laws of that jurisdiction. The parties involved SHALL notify
> the CA / Browser Forum of the facts, circumstances, and law(s) involved, so
> that the CA/Browser Forum may revise these Requirements accordingly.
>
> This generally makes sense, but I have a few questions:
>
> * Has this ever occurred? (One person on the call said never to his
> knowledge.)
> * Is there an established path for a CA to report an instance of this to
> the CA/B Forum?
> * Should CAs be expected to make the facts and circumstances public
> (potentially just by reporting it to the CA/B Forum's public list)?
>
> My immediate reaction is that since this essentially allows for
> CA-specific exceptions to the Baseline requirements, any exceptions should
> be publicly documented.
>
> What do folks think of adding the word "publicly" to this section? This
> would look like:
>
> > If a court or government body with jurisdiction over the activities
> covered by these Requirements determines that the performance of any
> mandatory requirement is illegal, then such requirement is considered
> reformed to the minimum extent necessary to make the requirement valid and
> legal. This applies only to operations or certificate issuances that are
> subject to the laws of that jurisdiction. The parties involved SHALL
> *publicly* notify the CA / Browser Forum of the facts, circumstances, and
> law(s) involved, so that the CA/Browser Forum may revise these Requirements
> accordingly.
>
> Following this could be as simple as having the CA post to the CA/B
> Forum's public list, and the CA/B Forum post the details to a predictable
> location (perhaps a Markdown file in the CABF's GitHub organization, or a
> permalink on cabforum.org).
>
> Since this is a rare event, it shouldn't add any substantial burden to the
> CA or the CABF, but it does ensure that in the event of a CA being forced
> to operate outside of the Baseline Requirements in some defined capacity
> (even if this as a temporary situation as CABF considers updating the BRs),
> this is as public as the Baseline Requirements are themselves.
>
> -- Eric
>
> --
> konklone.com | @konklone <https://twitter.com/konklone>
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160105/0bd223ee/attachment.html

More information about the Policyreview mailing list