[cabfcert_policy] Defining severability exceptions as public

Eric Mill eric at konklone.com
Sun Jan 17 16:06:42 MST 2016 

On Mon, Jan 11, 2016 at 6:14 PM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:

> The issue here is similar to what was discussed on our CA/B Forum call
> yesterday about publishing info to the CA/B Forum. The forum was never
> meant to be a repository or notifying body. Our work is to create standards.
>

I do understand these points, but I'm noting this line already in the BRs
about local exceptions:

> The parties involved SHALL notify the CA / Browser Forum of the facts,
circumstances, and law(s) involved, so that the CA/Browser Forum may revise
these Requirements accordingly.

So there is some role as a "notifying body". I get the arguments against
using a @cabforum.org email as the canonical mechanism, but I don't think
that should be a blocker.

They already have to notify the CA/B Forum somehow -- my suggestion here is
to add the word "publicly" so that CAs understand that there has to be a
blog post or some other permalink that accompanies the notification. How
that's achieved is less important than the norm that they be public.

 ...and since this rarely occurs, shouldn’t be a burden.
>

+1

-- Eric


>
>
> *From:* policyreview-bounces at cabforum.org [mailto:
> policyreview-bounces at cabforum.org] *On Behalf Of *Eric Mill
> *Sent:* Tuesday, January 05, 2016 10:55 AM
> *To:* policyreview at cabforum.org
> *Subject:* Re: [cabfcert_policy] Defining severability exceptions as
> public
>
>
>
> No thoughts on this suggestion? For as long as this email was, I am
> suggesting a one-word change to the BRs.
>
>
>
> -- Eric
>
>
>
> On Fri, Dec 18, 2015 at 1:51 PM, Eric Mill <eric at konklone.com> wrote:
>
> This only came up in passing during yesterday's call, but someone
> mentioned that if a CA necessarily must allow local law to override a
> portion of the Baseline Requirements, it has the obligation to notify the
> CA/B Forum of the details.
>
>
>
> This is expressed in the Baseline Requirements under "Severability", at
> the very bottom of the document:
>
>
>
> > If a court or government body with jurisdiction over the activities
> covered by these Requirements determines that the performance of any
> mandatory requirement is illegal, then such requirement is considered
> reformed to the minimum extent necessary to make the requirement valid and
> legal. This applies only to operations or certificate issuances that are
> subject to the laws of that jurisdiction. The parties involved SHALL notify
> the CA / Browser Forum of the facts, circumstances, and law(s) involved, so
> that the CA/Browser Forum may revise these Requirements accordingly.
>
>
>
> This generally makes sense, but I have a few questions:
>
>
>
> * Has this ever occurred? (One person on the call said never to his
> knowledge.)
>
> * Is there an established path for a CA to report an instance of this to
> the CA/B Forum?
>
> * Should CAs be expected to make the facts and circumstances public
> (potentially just by reporting it to the CA/B Forum's public list)?
>
>
>
> My immediate reaction is that since this essentially allows for
> CA-specific exceptions to the Baseline requirements, any exceptions should
> be publicly documented.
>
>
>
> What do folks think of adding the word "publicly" to this section? This
> would look like:
>
>
>
> > If a court or government body with jurisdiction over the activities
> covered by these Requirements determines that the performance of any
> mandatory requirement is illegal, then such requirement is considered
> reformed to the minimum extent necessary to make the requirement valid and
> legal. This applies only to operations or certificate issuances that are
> subject to the laws of that jurisdiction. The parties involved SHALL
> *publicly* notify the CA / Browser Forum of the facts, circumstances, and
> law(s) involved, so that the CA/Browser Forum may revise these Requirements
> accordingly.
>
>
>
> Following this could be as simple as having the CA post to the CA/B
> Forum's public list, and the CA/B Forum post the details to a predictable
> location (perhaps a Markdown file in the CABF's GitHub organization, or a
> permalink on cabforum.org).
>
>
>
> Since this is a rare event, it shouldn't add any substantial burden to the
> CA or the CABF, but it does ensure that in the event of a CA being forced
> to operate outside of the Baseline Requirements in some defined capacity
> (even if this as a temporary situation as CABF considers updating the BRs),
> this is as public as the Baseline Requirements are themselves.
>
>
>
> -- Eric
>
>
>
> --
>
> konklone.com | @konklone <https://twitter.com/konklone>
>
>
>
>
>
> --
>
> konklone.com | @konklone <https://twitter.com/konklone>
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160117/6a3ba1f1/attachment.html

More information about the Policyreview mailing list