[cabfpub] BRs section 9.16.3 (exception for laws)

Ryan Sleevi sleevi at google.com
Wed Apr 27 17:44:50 UTC 2016


I don't believe your proposal addresses the necessary transparency and
disclosure that the CA ecosystem needs for such matters. Is there a reason
you removed that language, or was it merely an oversight in addressing the
other issue you highlighted?

On Wed, Apr 27, 2016 at 10:40 AM, Jeremy Rowley <jeremy.rowley at digicert.com>

> Some CAs may not “want” to deviate from a requirement but may be forced to
> by regulation. They also won’t “deviate from… these Requirements” because
> the requirements are reformed to the extent necessary to accommodate for
> the law.
> How about:
> *A CA that issues a certificate under a requirement reformed through an
> action of a court or government body with jurisdiction SHALL list the
> reformed requirement in Section 9.16.3 of the CA’s CPS prior to issuing a
> certificate and include (in Section 9.16.3 of the CA’s CPS) a reference to
> the law or government order requiring a reformation under this section .*
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Gervase Markham
> *Sent:* Wednesday, April 27, 2016 10:38 AM
> *To:* CABFPub <public at cabforum.org>
> *Subject:* [cabfpub] BRs section 9.16.3 (exception for laws)
> Hi everyone,
> At the last CAB Forum meeting, we had a discussion about BRs section
> 9.16.3, and the possibility that it allows CAs to violate the BRs without
> appropriate notification. After the CAB Forum meeting, the following
> amendment (which I have tweaked) was helpfully suggested by one participant
> in the conversation The aim is to bring transparency, so anyone in
> violation under this clause is at least documented, and we can consider
> revisions to the BRs accordingly.
> What do people think?
> Gerv
> *9.16.3. Severability*
> If a court or government body with jurisdiction over the activities
> covered by these Requirements determines that the performance of any
> mandatory requirement is illegal, then such requirement is considered
> reformed to the minimum extent necessary to make the requirement valid and
> legal. This applies only to operations or certificate issuances that are
> subject to the laws of that jurisdiction. The parties involved SHALL notify
> the CA / Browser Forum *by sending a detailed message to *
> questions at cabforum.org of the facts, circumstances, and law(s) involved, *and
> receiving confirmation of the receipt of the message by the CA/Browser
> Forum,* so that the CA/Browser Forum may *consider possible revisions to
> these* Requirements accordingly.
> *Any CA that wants to deviate from any mandatory requirement of these
> Requirements as written on the basis of this Section 9.16.3 must list all
> such non-conformity (including a reference to the specific Requirement(s)
> subject to deviation) in Section 9.16.3 of the CA’s CPS before deviating
> from the Requirement(s), and include in such disclosure the facts,
> circumstances, and law(s) involved. *
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160427/694331a9/attachment-0003.html>

More information about the Public mailing list