[cabfpub] Ballot 159 - Amend Section 4 of Baseline Requirements

Sigbjørn Vik sigbjorn at opera.com
Thu Jan 7 01:20:13 MST 2016 

I prefer the latter version ("See section 9.6.3, provisions 2. and 4."),
which avoids this exact problem of trying to condense down the language
in 9.6.3 to a single sentence. Your point also makes it clear that
attempts to write a short version of that is bound with complications.


On 06-Jan-16 19:33, Rick Andrews wrote:
> Sigbjørn,
> 
> I don't see how one would audit that a CA ensured that Subscribers committed
> to those sections. How would a CA know that Subscribers "properly protect at
> all times the Private
> Key" and "use the Certificate solely in compliance with all applicable
> laws"?
> 
> The BRs currently require that CAs "implement a process to ensure that each
> Subscriber or Terms of Use Agreement is legally enforceable against the
> Applicant". That's auditable.
> 
> -Rick
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Sigbjørn Vik
> Sent: Wednesday, January 06, 2016 1:13 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] Ballot 159 - Amend Section 4 of Baseline Requirements
> 
> In this case, perhaps the language should match the language used in section
> 9.6.3? In general, the BRs impose restrictions on CAs, not subscribers, and
> there are no effects if subscribers flaunt the BRs.
> Stating "subscribers SHALL" does thus not achieve the intended purpose.
> Perhaps language like the following instead:
> 
> "The CA SHALL ensure that subscribers commit to subsections 2. and 4. of
> section 9.6.3."
> 
> Although in that case, why not simply the following instead:
> 
> "See section 9.6.3, provisions 2. and 4."
> 
> 
> On 05-Jan-16 17:02, Ben Wilson wrote:
>> It should have said:
>>
>>  
>>
>> “3) In Section 4.5.1 of the Baseline Requirements, add "Subscribers 
>> SHALL comply with subsections 2. and 4.  of Section 9.6.3.”
>>
>>  
>>
>> Those two subsections are in the Subscriber Agreement requirements. 
>> Subsection 2.  says, “Protection of Private Key:  An obligation and 
>> warranty by the Applicant to take all reasonable measures to maintain 
>> sole control of, keep confidential, and properly protect at all times 
>> the Private Key that corresponds to the Public Key to be included in 
>> the requested Certificate(s) (and any associated activation data or 
>> device, e.g. password or token);”  Subsection 4. says, “Use of  
>> Certificate:  An obligation and warranty to install the Certificate 
>> only on servers that are accessible at the subjectAltName(s) listed in 
>> the Certificate, and to use the Certificate solely in compliance with 
>> all applicable laws and solely in accordance with the Subscriber or Terms
> of Use Agreement;”
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>> *From:* Rick Andrews [mailto:Rick_Andrews at symantec.com]
>> *Sent:* Monday, January 4, 2016 6:45 PM
>> *To:* Ben Wilson <ben.wilson at digicert.com>; CABFPub 
>> <public at cabforum.org>
>> *Subject:* RE: Ballot 159 - Amend Section 4 of Baseline Requirements
>>
>>  
>>
>> Ben,
>>
>>  
>>
>> “3) In Section 4.5.1 of the Baseline Requirements, add "Subscribers 
>> SHALL comply with Sections 4.9.3(2) and 4.9.3(4)."” I don’t see (2) 
>> and
>> (4) in 4.9.3. Is that the right Section number?
>>
>>  
>>
>> -Rick
>>
>>  
>>
>> *From:*public-bounces at cabforum.org 
>> <mailto:public-bounces at cabforum.org>
>> [mailto:public-bounces at cabforum.org] *On Behalf Of *Ben Wilson
>> *Sent:* Monday, January 04, 2016 8:04 AM
>> *To:* CABFPub
>> *Subject:* [cabfpub] Ballot 159 - Amend Section 4 of Baseline 
>> Requirements
>>
>>  
>>
>> Ballot 159 - Amend Section 4 of Baseline Requirements
>>
>>  
>>
>> The Policy Review Working Group has reviewed Section 4 of the Baseline 
>> Requirements and, as a result, suggests that certain changes be made.
>> Based on the lack of urgency for these changes and other 
>> considerations, the Working Group recommends that, if any compliance 
>> is required, Certification Authorities be given until January 1, 2017 
>> before they are required to comply.  Therefore, the following motion 
>> has been proposed by Ben Wilson of DigiCert and endorsed by  Tim 
>> Hollebeek of Trustwave and Kirk Hall of TrendMicro:
>>
>>  
>>
>> -- MOTION BEGINS --
>>
>>  
>>
>> Effective immediately
>>
>>  
>>
>> 1) In Sections 4.2.3, 4.3.2, 4.4.1, 4.4.2, 4.4.3, 4.5.2, 4.6.1, 4.6.2, 
>> 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7., 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 
>> 4.7.6, 4.7.7, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.8.7, 4.9.4, 
>> 4.9.8,  4.10.3, 4.11, and 4.12.1 of the Baseline Requirements, add "No 
>> stipulation."
>>
>>  
>>
>> 2) In Sections 4.9.14, 4.9.15, 4.9.16, and 4.12.2 of the Baseline 
>> Requirements, add "Not applicable."
>>
>>  
>>
>> 3) In Section 4.5.1 of the Baseline Requirements, add "Subscribers 
>> SHALL comply with Sections 4.9.3(2) and 4.9.3(4)."
>>
>>  
>>
>> 4) In Section 4.9.2 of the Baseline Requirements, add "The Subscriber 
>> can initiate revocation. Other parties who can request revocation
>> include: the general public,
>>
>> the press/news media, or an Application Software Provider.
>>
>> See also Section 3.4."
>>
>>  
>>
>> 5) In Section 4.9.6 of the Baseline Requirements, add "No stipulation.
>>
>> (Note: Following certificate issuance, a certificate may be revoked 
>> for reasons stated in Section 4.9.1.
>>
>> Therefore, relying parties should check the revocation status of all 
>> certificates that contain a CDP or OCSP
>>
>> pointer.)"
>>
>>  
>>
>> To review these proposed changes in the Baseline Requirements, see the 
>> attached PDF document titled, “Ballot- 159 Redlining of Section 4 of BRs”
> .
>>
>>  
>>
>> -- MOTION ENDS --
>>
>>  
>>
>> The review period for this ballot shall commence at 2200 UTC on 4 
>> January 2016, and will close at 2200 UTC on 11 January 2016. Unless 
>> the motion is withdrawn during the review period, the voting period 
>> will start immediately thereafter and will close at 2200 UTC on 18 
>> January 2016. Votes must be cast by posting an on-list reply to this
> thread.
>>
>>  
>>
>> A vote in favor of the motion must indicate a clear 'yes' in the 
>> response. A vote against must indicate a clear 'no' in the response. A 
>> vote to abstain must indicate a clear 'abstain' in the response. 
>> Unclear responses will not be counted. The latest vote received from 
>> any representative of a voting member before the close of the voting 
>> period will be counted. Voting members are listed here:
>> https://cabforum.org/members/
>>
>>  
>>
>> In order for the motion to be adopted, two thirds or more of the votes 
>> cast by members in the CA category and greater than 50% of the votes 
>> cast by members in the browser category must be in favor. Quorum is 
>> currently nine (9) members– at least nine members must participate in 
>> the ballot, either by voting in favor, voting against, or abstaining.
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
> 
> 
> --
> Sigbjørn Vik
> Opera Software
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 


-- 
Sigbjørn Vik
Opera Software

More information about the Public mailing list