[cabfpub] Ballot 161 - Notification of incorrect issuance

Ryan Sleevi sleevi at google.com
Sat Jan 30 06:12:57 MST 2016


On Fri, Jan 29, 2016 at 10:53 AM, Doug Beattie <doug.beattie at globalsign.com>
wrote:

> GlobalSign has some serious reservations about this ballot.  I've sent
> this comment previously, but I'll send it again now that we are in the
> formal comment period.
>
> I feel strongly that the CABF, as a standards forum, should be focused on
> improving security and defining strong standards, but that compliance is a
> completely different responsibility.  We have WebTrust for CA auditors and
> root programs which do this today. We don’t want the BRs to encompass the
> WT for CAs audit requirements.   If the Root store operators and/or WT want
> to define compliance monitoring standards/initiatives that's fine, but I'm
> against CABF levying compliance reporting requirements.
>

Doug,

One area where I think this fits in very tightly with the CA/B Forum's
mission and goal is determining what patterns of misissuance emerge -
either within a single CA or within CAs at large - that highlight the need
for either better clarification of the BR languages or tightening or
loosening of the language, as appropriate.

For example, the very discussion of the ballot has highlighted a number of
excellent questions about the scope of the BRs as well as what constitutes
misissuance.

To use Dean's example of typos, note that in his proposed scenario, the
issue arose from using the customer's CSR as the source of encoding, rather
than having the CA responsible for encoding. This practice is explicitly
discouraged by RFC 5280 (see 4.1.2.4 and 4.1.2.6's notes around the string
"compatability"). Should it end up that CAs regularly run into such issues,
it may be necessary to put forward a ballot to address this.

In that sense, the disclosure requirement helps discover areas of practical
concern and patterns that may require addressing. Auditors are,
unfortunately, simply not providing any such feedback to root programs, and
are unlikely to do so in any meaningful way given the confidentiality
afforded to them in an audit. Similarly, root program notifications just
serve to fragment the discussions beyond any meaningful sense - and equally
shifts the burden of enforcing wholly to the root programs, which we know
is difficult (c.f. the fact that many CAs failed to include the entropy
required by multiple programs, or that many CAs still continue to
consistently fail to disclose the intermediate CAs they've issued, along
with their audit status).

While I can understand this may not change your position, I do hope you can
see some utility in the ballot.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160130/3b9b9b0d/attachment.html 


More information about the Public mailing list