[cabfpub] FW: Bylaw update proposal

Ryan Sleevi sleevi at google.com
Tue Mar 24 08:39:56 MST 2015


>From Peter
On Mar 23, 2015 10:29 PM, "Peter Bowen" <pzbowen at gmail.com> wrote:

> On Mon, Mar 23, 2015 at 10:21 PM, Ryan Sleevi <sleevi at google.com> wrote:
> > On Mar 23, 2015 10:09 PM, "kirk_hall at trendmicro.com"
> > <kirk_hall at trendmicro.com> wrote:
> >> That’s a question for the browsers – Browsers, what do you say?
> >
> > I'm not sure why this is a question for browsers - audit scope is audit
> > scope. Some CAs include subordinate CAs in scope of their own audits -
> such
> > as when they control and operate the infrastructure - other CAs don't.
> >
> > Mozilla Root Inclusion Policy (Sections 8 and 10) require that
> unconstrained
> > subordinate CAs be disclosed and audited. Mozilla CA communications from
> May
> > 2014 [1] affirmed this.
> >
> > I would expect that all of the CAs fall in one of the two buckets, and
> it's
> > up to their issuer to decide.
> >
> > From the point of view of program operation, it does not make a
> difference
> > whether or not that subordinate is operated by a third party - have audit
> > and fill out the form, will travel.
>
> Here are two examples of CAs that are not Root CAs in any browser, and
> have issued multiple certificates according to CT logs:
>
> Unisys: http://uispki.unisys.com/rep/ (Current WebTrust for CA and BR
> linked at the bottom of the page)
>
> SSL.com: https://secure.comodo.com/products/publiclyDisclosedSubCACerts
> - serial 1100C5BF2758C19969FC68ED729DFCD7 (Audit info at top of page)
>
> (apologies for picking on both of these, but they were easy to find)
>
> Both are welcome to join and vote?
>
> Thanks,
> Peter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150324/e369bc12/attachment-0001.html 


More information about the Public mailing list