[cabfpub] Concerns regarding Mozilla Root Program/Baseline Requirements

Sigbjørn Vik sigbjorn at opera.com
Thu Aug 1 08:06:18 UTC 2013


On 31-Jul-13 18:47, Wayne Thayer wrote:

> This issue naturally goes away as these legacy certificates expire,
> and it is not a violation of our policies, nor do I believe is it a
> violation of the BRs.

We believe this is a clear violation of the BR. How fast can you stop
this practice, and revoke any certificates in violation?

On 31-Jul-13 20:40, Ryan Sleevi wrote:
> Wayne,
> 
> I appreciate your reply in explaining this further.
> 
> Please understand our intent is not to single GoDaddy out, but our
> concern remains that this highlights a potentially dangerous
> disagreement upon what "issuance" means. Our concern stems from the
> fact that, in our view, issuance is the practice of signing a
> certificate.

While I agree that the signing in practice counts as the issuance (as
issuance normally happens only seconds afterwards), this is not the
correct definition. Issuance happens when certificates are sent to the
customer[1][2][3]. In particular, this definition stops CAs from signing
certificates before a deadline, selling (issuing) them afterwards, and
claiming governance by the old requirements.

If a single byte of a certificate is different from a previous issue,
then this is a new issue (as the customer did not have access to that
byte sequence beforehand), regardless of the name given to it, new
edition/version/rekey/...

[1] http://www.thefreedictionary.com/issue: "The act of circulating,
distributing, or publishing"
[2] http://www.merriam-webster.com/dictionary/issue: "The act of
publishing or officially giving out or making available"
[3] http://dictionary.reference.com/browse/issue: "The act of sending
out or putting forth"

-- 
Sigbjørn Vik
Opera Software



More information about the Public mailing list