[cabfpub] Misissuance of certificates

Dean Coclin Dean_Coclin at symantec.com
Mon Nov 9 13:29:42 UTC 2015


You made a statement in another email which, if I'm remembering correctly, said something like this: If a cert is issued from a public root, for public domains, for use by the public, then its contents is automatically public. 

Is this based on:
1. An authoritative definition? (if so, please cite a reference)
2. A commonly held belief?
3. Your own interpretation?

Also, I think Inigo raised some privacy concerns that may make the above a violation of local laws. Your text below doesn't address that. That may be problematic for a 1 week timeline, especially if there are many domain owners that need to be consulted. 

Are you saying that any cert not in compliance with the BRs constitutes misissuance?

In the future, when name redaction is allowed for OV/DV, publishing the full certificate negates the value of name redaction. So for example, consider a case where the cert was issued to the right recipient, but the misissuance was the addition of a misleading OU field, or a "MUST INCLUDE" extension is omitted. The proposal would force CAs to reveal the redacted names.

I think we need to nail down some of this before proceeding to a ballot.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Sigbjørn Vik
Sent: Monday, November 09, 2015 3:39 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates


I'd like to ask for two endorsers for this, to put it through a ballot.
I would go into BR section 2.2.

On 28-Oct-15 16:40, Sigbjørn Vik wrote:
> It occasionally happens that a CA misissues a certificate. To improve 
> the certificate ecosystem, we would like information about such 
> incidents to be publicly available. This will allow CAs to learn from 
> other's mistakes, increase transparency, and allow users and vendors 
> to take appropriate countermeasures and determine the trustworthiness 
> of CAs. Over time, this might also indirectly result in fewer misissuances.
> Opera proposes adding text like the following to the BRs.
> In the event that a CA issues a certificate in violation of these 
> requirements, the CA SHALL publicly disclose a report within one week 
> of becoming aware of the violation. public at cabforum.org SHALL be 
> informed about the report, and it SHALL include details about what 
> caused the issuance, time of issuance and discovery, as well as the 
> full public certificate. The report SHALL be made available to the CAs 
> Qualified Auditor for the next Audit Report.
> A CA might still prefer to fix their issues silently, without letting 
> the public know that it had misissued certificates. This amendment 
> does not fix that issue directly. If such misissuance were discovered 
> later, either through CT, through the auditor, or otherwise, the CA 
> would be forced to issue full information. This would still be 
> beneficial in itself, and it would incentivize CAs to avoid 
> misissuance, and be open about it should it happen.

Sigbjørn Vik
Opera Software
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151109/c0649b74/attachment-0001.p7s>

More information about the Public mailing list