[cabfcert_policy] Defining severability exceptions as public

Dean Coclin Dean_Coclin at symantec.com
Mon Jan 11 16:14:29 MST 2016 

I’m not aware of this disclosure ever occurring but you never know. I recall Netcraft finding an EV cert that didn’t conform to the BRs but when I asked the European CA about it they said they were complying with local laws. 

 

The issue here is similar to what was discussed on our CA/B Forum call yesterday about publishing info to the CA/B Forum. The forum was never meant to be a repository or notifying body. Our work is to create standards. We had a similar conversation in the code signing working group about being a repository for known bad actors but it was decided that the forum isn’t in the repository business. I think this is an ongoing discussion and will be reflected in the public minutes of the call after they are approved.

 

Also, CA’s that aren’t CA/B Forum members (and there are a lot of them) can’t post to the public list.  Sure, we can do the “re-posting” thing on their behalf if they send to the publicly accessible questions list and since this rarely occurs, shouldn’t be a burden. 

 

From: policyreview-bounces at cabforum.org [mailto:policyreview-bounces at cabforum.org] On Behalf Of Eric Mill
Sent: Tuesday, January 05, 2016 10:55 AM
To: policyreview at cabforum.org
Subject: Re: [cabfcert_policy] Defining severability exceptions as public

 

No thoughts on this suggestion? For as long as this email was, I am suggesting a one-word change to the BRs.

 

-- Eric

 

On Fri, Dec 18, 2015 at 1:51 PM, Eric Mill <eric at konklone.com <mailto:eric at konklone.com> > wrote:

This only came up in passing during yesterday's call, but someone mentioned that if a CA necessarily must allow local law to override a portion of the Baseline Requirements, it has the obligation to notify the CA/B Forum of the details.

 

This is expressed in the Baseline Requirements under "Severability", at the very bottom of the document:

 

> If a court or government body with jurisdiction over the activities covered by these Requirements determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Requirements accordingly. 


 

This generally makes sense, but I have a few questions:

 

* Has this ever occurred? (One person on the call said never to his knowledge.)

* Is there an established path for a CA to report an instance of this to the CA/B Forum?

* Should CAs be expected to make the facts and circumstances public (potentially just by reporting it to the CA/B Forum's public list)?

 

My immediate reaction is that since this essentially allows for CA-specific exceptions to the Baseline requirements, any exceptions should be publicly documented.

 

What do folks think of adding the word "publicly" to this section? This would look like:

 

> If a court or government body with jurisdiction over the activities covered by these Requirements determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL publicly notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Requirements accordingly.

 

Following this could be as simple as having the CA post to the CA/B Forum's public list, and the CA/B Forum post the details to a predictable location (perhaps a Markdown file in the CABF's GitHub organization, or a permalink on cabforum.org <http://cabforum.org> ).

 

Since this is a rare event, it shouldn't add any substantial burden to the CA or the CABF, but it does ensure that in the event of a CA being forced to operate outside of the Baseline Requirements in some defined capacity (even if this as a temporary situation as CABF considers updating the BRs), this is as public as the Baseline Requirements are themselves.

 

-- Eric

 

-- 

konklone.com <https://konklone.com>  | @konklone <https://twitter.com/konklone> 





 

-- 

konklone.com <https://konklone.com>  | @konklone <https://twitter.com/konklone> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160111/7c48888c/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
Url : https://cabforum.org/pipermail/policyreview/attachments/20160111/7c48888c/attachment.bin

More information about the Policyreview mailing list