[cabfpub] Ballot 161 - Notification of incorrect issuance

Fri Feb 5 08:02:29 UTC 2016

Doug,

You can log all your SSL certs in the CT logs now, there´s no "technical" or "legal" restrictions to do so. If you consider that logging all SSL certs issued will improve the transparency, then do it. We are doing it for the same reasoning but also consider that this is not the "unique" solution and there are other options to improve the whole ecosystem, and this ballot could be one for sure. But, what I indicated is to work together and not having 2 similar procedures/processes for the same goal, which is what is stated in eIDAS regulation article 19 and that affects to lots of CAs. So, what I´m against is to have a procedure for the CABF and another one (quite similar or not) according to eIDAS when the goal is the same.

Regards

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.eus 
945067705

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Doug Beattie
Enviado el: jueves, 04 de febrero de 2016 18:34
Para: Ryan Sleevi; Rick Andrews
CC: public at cabforum.org
Asunto: Re: [cabfpub] Ballot 161 - Notification of incorrect issuance

>> On Wed, Feb 3, 2016 at 5:07 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
>> In summary, Symantec can’t support this ballot. Symantec instead 
>> recommends adoption of a new ballot that would require all publicly 
>> trusted CAs to log all their issued certificates in accordance with 
>> the Google EV/CT Plan. This requirement should provide CAs a 
>> reasonable amount of time to complete implementation, and to address privacy concerns, Symantec further recommends that all certificates be logged in 6962-bis-compliant CT log servers.

> Given that no 6962-bis-compliant CT log servers exist, and 6962-bis 
> continues to be worked on as the lessons learned from CT are applied, 
> what timeframe do you see as reasonable? While it's understandable 
> that Symantec is expected to comply with this policy in four months, 
> regardless of the status of 6962-bis, it would be helpful to know what you believe is reasonable.

GlobalSign endorses the plan presented by Rick and we would be ready to support a mandatory CT effective date of December 1, 2016 for compliance with the Google EV/CT Plan for all SSL certificates, provided 6962-bis is approved at least 4 months prior to this date and there are a sufficient number of CT logs to use with this updated RFC.  We would support earlier, interim dates for mandatory posting all DV certificates to CT logs post issuance (without included SCTs).  While this isn’t necessarily compliant with the Google EV/CT plan, it would improve transparency sooner and define a phased plan.

We would also support the use of CAA to flag orders for manual review to further strengthen issuance processes with pre-issuance checks to supplement CT logging by December 1, 2016.

Doug