[cabfpub] Misissuance of certificates

Sigbjørn Vik sigbjorn at opera.com
Wed Oct 28 15:56:59 UTC 2015


On 28-Oct-15 16:47, Gervase Markham wrote:
> On 28/10/15 15:40, Sigbjørn Vik wrote:
>> A CA might still prefer to fix their issues silently, without letting
>> the public know that it had misissued certificates. This amendment does
>> not fix that issue directly.
> 
> Why not? Presumably silently fixing an issue in this way would now be a
> BR violation, which would lead to a failed audit?

If an audit discovered that the CA misissued AND discovered that fact,
then the audit would fail. It might be possible to claim that the
misissuance was never discovered though.
The proposed text helps, but does not completely resolve this issue.

>> If such misissuance were discovered later,
>> either through CT, through the auditor, or otherwise, the CA would be
>> forced to issue full information. 
> 
> By what mechanism? Your proposed text doesn't seem to cover this case.

Within one week of discovery, the CA must issue the report. A CA might
not have discovered the issue before, but once made aware of it, they
have one week to go public. If discovered by CT (aka the public), the
public would know if the CA complies, and if discovered by the auditor,
the auditor would know if the CA complies.

-- 
Sigbjørn Vik
Opera Software



More information about the Public mailing list