[cabfpub] Misissuance of certificates

Ryan Sleevi sleevi at google.com
Tue Nov 10 03:44:19 UTC 2015

On Mon, Nov 9, 2015 at 8:42 AM, Doug Beattie <doug.beattie at globalsign.com>

> Ryan,
> I’m not following your statement that “If a cert transitively chains to a
> publicly trusted root, it should be public, technically constrained
> subordinate CA notwithstanding.”
> Mozilla requires the CA certificates to be publically disclosed, but I
> haven’t found anything saying that all SSL certificates under a CA
> (technically constrained or not) need to be publically disclosed.  Audited,
> yes.  Did I miss something in one of the Root policies or the BRs that says
> all SSL certificates need to be publically disclosed?
> Doug


I wasn't trying to suggest that all certificates MUST be disclosed - but
simply that 'privacy' is simply not an acceptable answer for a publicly
trusted CA, especially in the event of a misissuance event. That is, a CA
should reasonably expect that they MUST disclose the full contents of all
certificates, and the failure to do so is a serious red flag that will be
prevented in future root policy updates.

When a CA fails to abide by their stated policies, or the Baseline
Requirements and EV Guidelines, it seriously calls into question their
credibility for explaining events. Having a public examination of the
certificates issued ensures that interested parties can, for example, look
for other certificates that demonstrate the same patterns of misissuance,
which might call into question the very nature of the reported scope.

At question here is whether or not it's reasonable to 'not disclose' some
leaf certificates, and while Phil raises some very interesting points to be
responded to separately, the argument of "It's publicly trusted, but can't
be publicly disclosed" is simply without strong merit.

This differs from the obligation to proactively disclose intermediates, but
both are contextually relevant in that "chaining to a publicly trusted root
makes them a matter of public interest" - especially if misissued.

Does that make more sense?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151109/b5220118/attachment-0003.html>

More information about the Public mailing list