[cabfpub] [CABFORUM] Re: Bylaw update proposal

Tim Hollebeek THollebeek at trustwave.com
Mon Mar 23 17:25:31 UTC 2015


Peter's right.  The proposed language, read literally, would allow a CA to point to a publicly accessible test page as proof.  I don't think that's what we want.

-Tim

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin
Sent: Monday, March 23, 2015 1:22 PM
To: Peter Bowen; Ryan Sleevi
Cc: public at cabforum.org
Subject: Re: [cabfpub] [CABFORUM] Re: Bylaw update proposal

Peter,
We're not looking for the candidate CA to provide test web pages. We're looking for actual company URLs that they've provided SSL certificates to. This is to prove that they "actively issue certificates to web servers that are openly accessible from the Internet..."



Dean

-----Original Message-----
From: Peter Bowen [mailto:pzbowen at gmail.com]
Sent: Monday, March 23, 2015 1:06 PM
To: Dean Coclin; Ryan Sleevi
Cc: public at cabforum.org
Subject: [CABFORUM] Re: [cabfpub] Bylaw update proposal

On Mon, Mar 23, 2015 at 8:27 AM, Dean Coclin <Dean_Coclin at symantec.com> wrote:
> I would like to propose a slight update to the bylaws to reflect our
> membership requirements. Section 2.1, part (b) talks about what
> applicants need to provide when requesting membership. As you know,
> one of the requirements in section (a) is that if a CA, they
> “…actively issue certificates to Web servers that are openly
> accessible from the Internet using any of the mainstream browsers”
> (Ref 2.1 (a) (1+2))
>
> ADD:
>
> “(7) For Issuing and Root CA applicants, provide a URL of at least one
> website visible on the public Internet which contains an SSL
> certificate issued by your Issuing CA.”
>
>
>
> Before I make this a ballot, are there any questions or objections to
> this clarification?

How about aligning this with the BR Appendix C and saying:

(7) For CA applications, provide URLs for your test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, this includes separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired.

Appendix C is normative, so each CA company should be able to provide at least three URLs.

Thanks,
Peter

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


More information about the Public mailing list