[cabfpub] Misissuance of certificates
sigbjorn at opera.com
Fri Oct 30 08:08:56 MST 2015
Could anyone in the information sharing working group comment if this is
a duplicate effort already covered there, or worthy of a separate ballot?
On 29-Oct-15 08:35, "Barreira Iglesias, Iñigo" wrote:
> It seems to me that this request is one of the aspects the "information sharing" working group is trying to achieve, I don´t remember if publicly for the whole world or just for the CABF members.
> Iñigo Barreira
> Responsable del Área técnica
> i-barreira at izenpe.eus
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
> -----Mensaje original-----
> De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Sigbjørn Vik
> Enviado el: miércoles, 28 de octubre de 2015 16:41
> Para: public at cabforum.org
> Asunto: [cabfpub] Misissuance of certificates
> It occasionally happens that a CA misissues a certificate. To improve the certificate ecosystem, we would like information about such incidents to be publicly available. This will allow CAs to learn from other's mistakes, increase transparency, and allow users and vendors to take appropriate countermeasures and determine the trustworthiness of CAs. Over time, this might also indirectly result in fewer misissuances.
> Opera proposes adding text like the following to the BRs.
> In the event that a CA issues a certificate in violation of these requirements, the CA SHALL publicly disclose a report within one week of becoming aware of the violation. public at cabforum.org SHALL be informed about the report, and it SHALL include details about what caused the issuance, time of issuance and discovery, as well as the full public certificate. The report SHALL be made available to the CAs Qualified Auditor for the next Audit Report.
> A CA might still prefer to fix their issues silently, without letting the public know that it had misissued certificates. This amendment does not fix that issue directly. If such misissuance were discovered later, either through CT, through the auditor, or otherwise, the CA would be forced to issue full information. This would still be beneficial in itself, and it would incentivize CAs to avoid misissuance, and be open about it should it happen.
> Sigbjørn Vik
> Opera Software
> Public mailing list
> Public at cabforum.org
More information about the Public