[cabfpub] BRs section 9.16.3 (exception for laws)

Wed Apr 27 17:33:20 UTC 2016

Gerv,

Putting on my "How might I look for loopholes in this language", it's
possible to conceive of an evil insider/collaborator attack (whether
malicious, state sponsored, accidental, or otherwise) with respect to the
"receiving confirmation of the receipt of the message" portion.

Perhaps this is over-thinking it, but how would you feel about "receiving
confirmation that it has been posted to the Public Mailing List and is
indexed in the Public Mail Archives available at
https://cabforum.org/pipermail/public/ , so that ..."

This accomplishes several things:
1) It ensures that such disclosures, if any, receive public attention,
rather than just the CA/Browser Forum's internal lists and membership
2) It moves from "receiving confirmation" (which can be interpreted as,
say, the next-hop SMTP server acknowledging receipt, but never forwarding
to the CA/B Forum list) into something that can be objectively quantified
over a secured medium (assuming a certificate for cabforum.org is not
misissued)
3) It removes ambiguity as to who is responsible to confirm (can the member
themselves confirm, if they are a member? Does the Chair confirm? Does the
questions answerer confirm?)
4) It allows the flexibility for the member to themselves forward from the
questions@ list to the public list, reducing the latency involved and
giving greater flexibility, while still accomplishing the necessary
transparency goal

I realize this is fairly pedantic, but certainly, transparency and
robustness seem useful, and it doesn't seem significantly more onerous.
What do you think?

On Wed, Apr 27, 2016 at 9:38 AM, Gervase Markham <gerv at mozilla.org> wrote:

> Hi everyone,
>
> At the last CAB Forum meeting, we had a discussion about BRs section
> 9.16.3, and the possibility that it allows CAs to violate the BRs without
> appropriate notification. After the CAB Forum meeting, the following
> amendment (which I have tweaked) was helpfully suggested by one participant
> in the conversation The aim is to bring transparency, so anyone in
> violation under this clause is at least documented, and we can consider
> revisions to the BRs accordingly.
>
> What do people think?
>
> Gerv
>
>
> *9.16.3. Severability*
>
> If a court or government body with jurisdiction over the activities
> covered by these Requirements determines that the performance of any
> mandatory requirement is illegal, then such requirement is considered
> reformed to the minimum extent necessary to make the requirement valid and
> legal. This applies only to operations or certificate issuances that are
> subject to the laws of that jurisdiction. The parties involved SHALL notify
> the CA / Browser Forum *by sending a detailed message to
> questions at cabforum.org <questions at cabforum.org> *of the facts,
> circumstances, and law(s) involved, *and receiving confirmation of the
> receipt of the message by the CA/Browser Forum,* so that the CA/Browser
> Forum may *consider possible revisions to these* Requirements accordingly.
> *Any CA that wants to deviate from any mandatory requirement of these
> Requirements as written on the basis of this Section 9.16.3 must list all
> such non-conformity (including a reference to the specific Requirement(s)
> subject to deviation) in Section 9.16.3 of the CA’s CPS before deviating
> from the Requirement(s), and include in such disclosure the facts,
> circumstances, and law(s) involved. *
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160427/68bc747e/attachment-0003.html>