[cabfpub] Ballot 161 - Notification of incorrect issuance

Doug Beattie doug.beattie at globalsign.com
Thu Feb 4 17:34:08 UTC 2016

>> On Wed, Feb 3, 2016 at 5:07 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
>> In summary, Symantec can’t support this ballot. Symantec instead recommends adoption of a 
>> new ballot that would require all publicly trusted CAs to log all their issued certificates in 
>> accordance with the Google EV/CT Plan. This requirement should provide CAs a reasonable 
>> amount of time to complete implementation, and to address privacy concerns, Symantec 
>> further recommends that all certificates be logged in 6962-bis-compliant CT log servers.

> Given that no 6962-bis-compliant CT log servers exist, and 6962-bis continues to be
> worked on as the lessons learned from CT are applied, what timeframe do you see as
> reasonable? While it's understandable that Symantec is expected to comply with this 
> policy in four months, regardless of the status of 6962-bis, it would be helpful to know 
> what you believe is reasonable. 

GlobalSign endorses the plan presented by Rick and we would be ready to support a mandatory CT effective date of December 1, 2016 for compliance with the Google EV/CT Plan for all SSL certificates, provided 6962-bis is approved at least 4 months prior to this date and there are a sufficient number of CT logs to use with this updated RFC.  We would support earlier, interim dates for mandatory posting all DV certificates to CT logs post issuance (without included SCTs).  While this isn’t necessarily compliant with the Google EV/CT plan, it would improve transparency sooner and define a phased plan.

We would also support the use of CAA to flag orders for manual review to further strengthen issuance processes with pre-issuance checks to supplement CT logging by December 1, 2016.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4289 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160204/68903e1b/attachment-0001.p7s>

More information about the Public mailing list