[cabfpub] Misissuance of certificates

Sigbjørn Vik sigbjorn at opera.com
Mon Nov 2 09:49:56 UTC 2015

On 02-Nov-15 10:07, "Barreira Iglesias, Iñigo" wrote:

> As said, it seems that is only for CABF members and not publicly available as Siggy suggests. And don´t know exactly what you can make publicly available without legal validation in terms of data protection law, i.e., giving names of people affected. 

The topic is certificates issued by public roots, for public domains,
intended to be publicly available. The details might already be
available in e.g. a CT pre-cert. If a CA accidentally puts private
information in there, the public ought to be told about it, so the real
risks to the public may be disclosed.

If there is a concern that giving details might violate local laws, a
provision for that would be possible to carve out. E.g. something like
the following instead:
* Get a written receipt of full disclosure from the individuals affected
* Get an auditor's report that the individuals have been notified
* Get an auditor's report what disclosure would violate local laws
* Publicly release all the remaining information with anonymized private
information, as well as the report(s)
For previously released information (CT pre-cert), this would likely not
apply. Most data protection laws are about privacy, and privacy, by
definition, does not apply to companies, so this would not apply to the
majority of cases. Non-logged EV certs to individuals might be relevant

I don't think such a provision is needed though. If disclosure were to
be illegal, by doing the above and notifying root stores, the CA would
still be able to negotiate further inclusion of their root. The goal of
this language is to make failures more transparent, by disincentivizing
CAs from keeping things secret. Forcing a CA not to comply with the BRs
a second time (the misissuance was the first) to keep details secret, is
in line with that goal.

> -----Mensaje original-----
> De: Dean Coclin [mailto:Dean_Coclin at symantec.com] 
> Enviado el: viernes, 30 de octubre de 2015 19:47
> Para: Sigbjørn Vik; Barreira Iglesias, Iñigo; public at cabforum.org
> Asunto: RE: [cabfpub] Misissuance of certificates
> I don't believe the ISWG is doing anything specific to this, Ben?
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Sigbjørn Vik
> Sent: Friday, October 30, 2015 11:09 AM
> To: Barreira Iglesias, Iñigo; public at cabforum.org
> Subject: Re: [cabfpub] Misissuance of certificates
> Could anyone in the information sharing working group comment if this is a duplicate effort already covered there, or worthy of a separate ballot?
> On 29-Oct-15 08:35, "Barreira Iglesias, Iñigo" wrote:
>> Hi,
>> It seems to me that this request is one of the aspects the "information sharing" working group is trying to achieve, I don´t remember if publicly for the whole world or just for the CABF members.
>> Iñigo Barreira
>> Responsable del Área técnica
>> i-barreira at izenpe.eus
>> 945067705
>> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
>> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
>> -----Mensaje original-----
>> De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
>> En nombre de Sigbjørn Vik Enviado el: miércoles, 28 de octubre de 2015 
>> 16:41
>> Para: public at cabforum.org
>> Asunto: [cabfpub] Misissuance of certificates
>> It occasionally happens that a CA misissues a certificate. To improve the certificate ecosystem, we would like information about such incidents to be publicly available. This will allow CAs to learn from other's mistakes, increase transparency, and allow users and vendors to take appropriate countermeasures and determine the trustworthiness of CAs. Over time, this might also indirectly result in fewer misissuances.
>> Opera proposes adding text like the following to the BRs.
>> In the event that a CA issues a certificate in violation of these requirements, the CA SHALL publicly disclose a report within one week of becoming aware of the violation. public at cabforum.org SHALL be informed about the report, and it SHALL include details about what caused the issuance, time of issuance and discovery, as well as the full public certificate. The report SHALL be made available to the CAs Qualified Auditor for the next Audit Report.
>> A CA might still prefer to fix their issues silently, without letting the public know that it had misissued certificates. This amendment does not fix that issue directly. If such misissuance were discovered later, either through CT, through the auditor, or otherwise, the CA would be forced to issue full information. This would still be beneficial in itself, and it would incentivize CAs to avoid misissuance, and be open about it should it happen.
>> --
>> Sigbjørn Vik
>> Opera Software
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> --
> Sigbjørn Vik
> Opera Software
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Sigbjørn Vik
Opera Software

More information about the Public mailing list