[cabfpub] Certificate Problem Report: clarifying definition
Gervase Markham
gerv at mozilla.org
Wed Aug 17 15:27:03 UTC 2016
Hi everyone,
Based on input from CAs and a desire for certainty that their processes
comply with the BRs, Kathleen is keen to clarify the definition of the
BR term "Certificate Problem Report" (CPR), particularly the scope of
the term "misuse".
Section 1.6.1 of the BRs defines:
Certificate Problem Report: Complaint of suspected Key Compromise,
Certificate misuse, or other types of fraud, compromise, misuse, or
inappropriate conduct related to Certificates.
That definition is referenced in two relevant places. Section 4.9.5 says:
The CA SHALL begin investigation of a Certificate Problem Report within
twenty-four hours of receipt, and decide whether revocation or other
appropriate action is warranted based on at least the following
criteria: ...
And section 4.10.2 says:
The CA SHALL maintain a continuous 24x7 ability to respond internally to
a high-priority Certificate Problem Report, and where appropriate,
forward such a complaint to law enforcement authorities, and/or revoke a
Certificate that is the subject of such a complaint.
So, we note, a CA is required to "begin an investigation" on receipt of
a CPR but that investigation may, on some or all occasions, at the CA's
sole discretion, result in no action. So any change of the definition is
not about the circumstances under which a CA must or must not e.g.
revoke, but only about when it is required to open an investigation.
We feel that, in line with the principle that certificates are evidence
of identity and not trustworthiness, we should clarify that "misuse"
means something like "being used for a purpose outside of that contained
in the cert, or applicant provided false information" and doesn't relate
to any activity which may take place on the website itself. So a draft
new definition with clearer terms used might be:
Certificate Problem Report: Complaint of suspected Key Compromise, false
information provided by the applicant during the issuance process, or
circumstances where the certificate is being used for a cryptographic
purpose outside of that for which it was issued.
It is an open question, on which we would particularly like input, as to
whether the definition of CPR should include _outdated_ information as
well as falsely-given information, or whether that circumstance does not
require such an immediate response.
Comments on this are very welcome.
Thanks,
Gerv
More information about the Public
mailing list