[cabfpub] CA-Browser Forum conference call on January 7th - misissued certificates

Sigbjørn Vik sigbjorn at opera.com
Fri Jan 8 05:26:29 MST 2016


There were some concerns at yesterday's meeting that this ballot would
make the CA/B Forum into a publisher of information, not just a
standards organization. An alternative to ensuring public notification
through a CA/B Forum operated mailing list, would be that CAs put a link
in their CPS to where they will publish such information.

The downside is that there would then be no central offical list, but
the information will still get out there. There might also be
organizations which want to collect and publish a complete set from all CAs.

I hope this will allay concerns about the CA/B Forum being involved in
the publications themselves.

Proposed text might then be as follows:
Effective 01-Jul-16, the CA SHALL in its Certificate Policy and/or
Certification Practice Statement announce where such reports will be
found. The location SHALL be as accessible as the CP/CPS.

This gives CAs half a year to amend their CPSes, and decide on a
location. The requirement to publish stands in the meanwhile, but with
no requirements as to where. Once a location is published in the CPS,
all reports should be available in that location, including reports
published earlier.

The ballot would also contain text stating:
After August 2016, the text "Effective 01-Aug-16, the CA SHALL" shall be
replaced with "The CA SHALL".



On 07-Jan-16 16:16, Gervase Markham wrote:
> On 07/01/16 08:28, Sigbjørn Vik wrote:
>> In the event that a CA issues a certificate in violation of these
>> requirements, the CA SHALL publicly disclose a report within one week of
>> becoming aware of the violation.
> 
> Technically, of course, no-one has to obey the BRs - they have to obey
> root program rules, which may incorporate the BRs by reference.
> 
> I would be interested to hear from CAs as to whether they would prefer
> disclosure requirements such as this to be centralised in the BRs or
> whether they would prefer them to be defined by each root program.
> 
>> public at cabforum.org SHALL be informed about the report. If the CA cannot
>> post directly, it SHALL inform questions at cabforum.org, and the CA/B
>> Forum chair SHALL forward to the list.
> 
> The reason I ask this is that (as far as I am aware, although I may well
> have missed something) currently the BRs are independent of the CAB
> Forum itself - i.e. the text makes no reference to the Forum's
> organizational structures. This ballot would change that. Is anyone
> concerned that this change might lead to problems?
> 
> Gerv
> 


-- 
Sigbjørn Vik
Opera Software


More information about the Public mailing list