[cabfpub] Misissuance of certificates

[Sigbjørn Vik]

It occasionally happens that a CA misissues a certificate. To improve
the certificate ecosystem, we would like information about such
incidents to be publicly available. This will allow CAs to learn from
other's mistakes, increase transparency, and allow users and vendors to
take appropriate countermeasures and determine the trustworthiness of
CAs. Over time, this might also indirectly result in fewer misissuances.

Opera proposes adding text like the following to the BRs.


In the event that a CA issues a certificate in violation of these
requirements, the CA SHALL publicly disclose a report within one week of
becoming aware of the violation. public at cabforum.org SHALL be informed
about the report, and it SHALL include details about what caused the
issuance, time of issuance and discovery, as well as the full public
certificate. The report SHALL be made available to the CAs Qualified
Auditor for the next Audit Report.


A CA might still prefer to fix their issues silently, without letting
the public know that it had misissued certificates. This amendment does
not fix that issue directly. If such misissuance were discovered later,
either through CT, through the auditor, or otherwise, the CA would be
forced to issue full information. This would still be beneficial in
itself, and it would incentivize CAs to avoid misissuance, and be open
about it should it happen.

-- 
Sigbjørn Vik
Opera Software