[cabfpub] BRs section 9.16.3 (exception for laws)

Thu Apr 28 12:14:51 UTC 2016

To link the threads, I brought this issue up on the Policy WG list in
December with a much tinier (and less robust) proposed fix:
https://cabforum.org/pipermail/policyreview/2015-December/000188.html

And Dean kindly added some context:
https://cabforum.org/pipermail/policyreview/2016-January/000190.html

I definitely read 9.16.3 not so much as addressing targeted government
interference (which, as Jeremy notes, there's nothing CAB can do about if
the government is serious about keeping such interference secret), but
addressing requirements of local law which thoughtlessly (or deliberately)
conflict with CAB requirements.

Jeremy's and Ryan's points are both solid. Combining them leads to this
proposed change:

*9.16.3. Severability*

If a court or government body with jurisdiction over the activities covered
by these Requirements determines that the performance of any mandatory
requirement is illegal, then such requirement is considered reformed to the
minimum extent necessary to make the requirement valid and legal. This
applies only to operations or certificate issuances that are subject to the
laws of that jurisdiction. The parties involved SHALL notify the CA /
Browser Forum *by sending a detailed message to questions at cabforum.org
<questions at cabforum.org> *of the facts, circumstances, and law(s)
involved, *and
receiving confirmation that it has been posted to the Public Mailing List
and is indexed in the Public Mail Archives available at
https://cabforum.org/pipermail/public/
<https://cabforum.org/pipermail/public/>,* so that the CA/Browser
Forum may *consider
possible revisions to these* Requirements accordingly.
*A CA that issues a certificate under a requirement reformed through an
action of a court or government body with jurisdiction SHALL list the
reformed requirement in Section 9.16.3 of the CA’s CPS prior to issuing a
certificate and include (in Section 9.16.3 of the CA’s CPS) a reference to
the law or government order requiring a reformation under this section.*

(Adding some text here so those using Gmail don't get an email truncated at
the wrong place.)

On Wed, Apr 27, 2016 at 5:11 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> There is nothing policy-wise that the CAB forum can do about a gag order
> (which is why CT and gossiping is fundamentally necessary). However, I
> don’t think most govs intentionally enact contradictory requirements.
> Instead, they enact policies globally applicable without awareness of ore
> regards to any standards body like the CAB Forum. This change (along with
> the existing language) will allow the CAB Forum and relying parties to
> identify unintentional conflicts without having the entire document voided
> by a government ruling.
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Rich Smith
> *Sent:* Wednesday, April 27, 2016 1:31 PM
> *To:* public at cabforum.org
> *Subject:* Re: [cabfpub] BRs section 9.16.3 (exception for laws)
>
>
>
> None of this addresses a gag order by said jurisdiction, which IMO is
> quite likely in a case wherein a government put such a requirement on a CA,
> at least in any case where such deviation from the BRs is truly of any
> concern.  Dead man switch?
>
> On 4/27/2016 12:44 PM, Ryan Sleevi wrote:
>
> Jeremy,
>
>
>
> I don't believe your proposal addresses the necessary transparency and
> disclosure that the CA ecosystem needs for such matters. Is there a reason
> you removed that language, or was it merely an oversight in addressing the
> other issue you highlighted?
>
>
>
> On Wed, Apr 27, 2016 at 10:40 AM, Jeremy Rowley <
> jeremy.rowley at digicert.com> wrote:
>
> Some CAs may not “want” to deviate from a requirement but may be forced to
> by regulation. They also won’t “deviate from… these Requirements” because
> the requirements are reformed to the extent necessary to accommodate for
> the law.
>
>
>
> How about:
>
>
>
> *A CA that issues a certificate under a requirement reformed through an
> action of a court or government body with jurisdiction SHALL list the
> reformed requirement in Section 9.16.3 of the CA’s CPS prior to issuing a
> certificate and include (in Section 9.16.3 of the CA’s CPS) a reference to
> the law or government order requiring a reformation under this section .*
>
>
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Gervase Markham
> *Sent:* Wednesday, April 27, 2016 10:38 AM
> *To:* CABFPub <public at cabforum.org>
> *Subject:* [cabfpub] BRs section 9.16.3 (exception for laws)
>
>
>
> Hi everyone,
>
> At the last CAB Forum meeting, we had a discussion about BRs section
> 9.16.3, and the possibility that it allows CAs to violate the BRs without
> appropriate notification. After the CAB Forum meeting, the following
> amendment (which I have tweaked) was helpfully suggested by one participant
> in the conversation The aim is to bring transparency, so anyone in
> violation under this clause is at least documented, and we can consider
> revisions to the BRs accordingly.
>
> What do people think?
>
> Gerv
>
>
>
> *9.16.3. Severability*
>
> If a court or government body with jurisdiction over the activities
> covered by these Requirements determines that the performance of any
> mandatory requirement is illegal, then such requirement is considered
> reformed to the minimum extent necessary to make the requirement valid and
> legal. This applies only to operations or certificate issuances that are
> subject to the laws of that jurisdiction. The parties involved SHALL notify
> the CA / Browser Forum *by sending a detailed message to *
> questions at cabforum.org of the facts, circumstances, and law(s) involved, *and
> receiving confirmation of the receipt of the message by the CA/Browser
> Forum,* so that the CA/Browser Forum may *consider possible revisions to
> these* Requirements accordingly.
>
> *Any CA that wants to deviate from any mandatory requirement of these
> Requirements as written on the basis of this Section 9.16.3 must list all
> such non-conformity (including a reference to the specific Requirement(s)
> subject to deviation) in Section 9.16.3 of the CA’s CPS before deviating
> from the Requirement(s), and include in such disclosure the facts,
> circumstances, and law(s) involved. *
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
>
>
>
> _______________________________________________
>
> Public mailing list
>
> Public at cabforum.org
>
> https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>

-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160428/d237ec4a/attachment-0003.html>