[cabfpub] Misissuance of certificates

Sigbjørn Vik sigbjorn at opera.com
Mon Nov 9 08:38:57 UTC 2015


I'd like to ask for two endorsers for this, to put it through a ballot.
I would go into BR section 2.2.

On 28-Oct-15 16:40, Sigbjørn Vik wrote:
> It occasionally happens that a CA misissues a certificate. To improve
> the certificate ecosystem, we would like information about such
> incidents to be publicly available. This will allow CAs to learn from
> other's mistakes, increase transparency, and allow users and vendors to
> take appropriate countermeasures and determine the trustworthiness of
> CAs. Over time, this might also indirectly result in fewer misissuances.
> Opera proposes adding text like the following to the BRs.
> In the event that a CA issues a certificate in violation of these
> requirements, the CA SHALL publicly disclose a report within one week of
> becoming aware of the violation. public at cabforum.org SHALL be informed
> about the report, and it SHALL include details about what caused the
> issuance, time of issuance and discovery, as well as the full public
> certificate. The report SHALL be made available to the CAs Qualified
> Auditor for the next Audit Report.
> A CA might still prefer to fix their issues silently, without letting
> the public know that it had misissued certificates. This amendment does
> not fix that issue directly. If such misissuance were discovered later,
> either through CT, through the auditor, or otherwise, the CA would be
> forced to issue full information. This would still be beneficial in
> itself, and it would incentivize CAs to avoid misissuance, and be open
> about it should it happen.

Sigbjørn Vik
Opera Software

More information about the Public mailing list