[cabfpub] Misissuance of certificates

Sigbjørn Vik sigbjorn at opera.com
Mon Dec 21 05:11:48 MST 2015 

On 18-Dec-15 17:50, Ryan Sleevi wrote:
> Sigbjorn,
> 
> Would you be willing to tweak the legacy non-disclosure such that,
> rather than allowing the subject DN and SANs to NOT be disclosed,
> instead the requirement is that the DN and SANs MUST be disclosed, but
> may be truncated to the portion of registerable domain name?
> 
> This would permit the presumed usecase of protecting
> foo.corp.example.com <http://foo.corp.example.com>, while still
> requiring, at a minimum, that example.com <http://example.com> be disclosed.

No objections from me. The ballot would then look like the following.
(Only change is in the second-but-last paragraph.)

2.2.1 Information of incorrect issuance

In the event that a CA issues a certificate in violation of these
requirements, the CA SHALL publicly disclose a report within one week of
becoming aware of the violation.

public at cabforum.org SHALL be informed about the report, if the CA cannot
post directly, it SHALL inform the CA/B Forum chair who SHALL inform the
list.

The report SHALL publicize details about what the error was, what caused
the error, time of issuance and discovery, and public certificates for
all issuer certificates in the trust chain.

The report SHALL publicize the full public certificate, with the
following exception: For certificates issued prior to 01-Mar-16 the
report MAY truncate Subject Distinguished Name fields and subjectAltName
extension values to the registerable domain name.

The report SHALL be made available to the CAs Qualified Auditor for the
next Audit Report.

> On Dec 18, 2015 6:07 AM, "Sigbjørn Vik" <sigbjorn at opera.com
> <mailto:sigbjorn at opera.com>> wrote:
> 
>     Hi,
> 
>     The discussion on this topic seems to have died down, I hope that means
>     we can proceed to a ballot. Anyone willing to endorse?
> 
>     The suggested exception for constrained intermediates did not seem to
>     solve the problem it was intended to solve, and nobody spoke up for it,
>     so I have removed it. The text would then be:
> 
> 
>     2.2.1 Information of incorrect issuance
> 
>     In the event that a CA issues a certificate in violation of these
>     requirements, the CA SHALL publicly disclose a report within one week of
>     becoming aware of the violation.
> 
>     public at cabforum.org <mailto:public at cabforum.org> SHALL be informed
>     about the report, if the CA cannot
>     post directly, it SHALL inform the CA/B Forum chair who SHALL inform the
>     list.
> 
>     The report SHALL publicize details about what the error was, what caused
>     the error, time of issuance and discovery, and public certificates for
>     all issuer certificates in the trust chain.
> 
>     The report SHALL publicize the full public certificate, with the
>     following exception: For certificates issued prior to 01-Mar-16 the
>     report MAY leave out Subject Distinguished Name fields and
>     subjectAltName extension values.
> 
>     The report SHALL be made available to the CAs Qualified Auditor for the
>     next Audit Report.
> 
>     --
>     Sigbjørn Vik
>     Opera Software
>     _______________________________________________
>     Public mailing list
>     Public at cabforum.org <mailto:Public at cabforum.org>
>     https://cabforum.org/mailman/listinfo/public
> 


-- 
Sigbjørn Vik
Opera Software

More information about the Public mailing list