[cabfpub] Ballot 159 - Amend Section 4 of Baseline Requirements

Ryan Sleevi sleevi at google.com
Mon Jan 4 18:03:14 UTC 2016

On Mon, Jan 4, 2016 at 8:04 AM, Ben Wilson <ben.wilson at digicert.com> wrote:

> 4) In Section 4.9.2 of the Baseline Requirements, add "The Subscriber can
> initiate revocation. Other parties who can request revocation include: the
> general public,
> the press/news media, or an Application Software Provider.
> See also Section 3.4."

Is there a reason the WG decided to provide an enumeration like this?

The concern I would have is that it reads as-if it's a closed set (only
these three parties), when arguably two ("the press/news media" and
"Application Software Provider") both are subsets of the general public

Also, why the choice Application Software Provider? The current term-of-use
in the BRs (v1.3.1) is "Application Software Supplier". The only use of
"Application Software Provider" appears to be within the context of Section
7.1.3, which is also probably a typo. I figured CAs would be all on board
calling us browsers ASSes :)

However, most importantly, I think the proposed change to 4.9.2 is somewhat
at conflict with the NIST Guidelines and with Section 4.9.3. Third-parties
(that is, anyone who is not the Subscriber for a given certificate) may, at
best, request the CA investigate the certificate pursuant with Section
4.9.1. As presently worded, it essentially suggests that anyone can, at any
time, point out a certificate and tell the CA to revoke it, which of course
is neither practical nor intentional.

As far as I can tell, for Section 4.9.2, only one party is authorized to
_request_ revocation - the Subscriber. The CA can also revoke (pursuant
with Section 4.9.1), but that's not a request - that's a unilateral
decision. MAYBE there's a carve out for Registration Authorities, or maybe
that's already considered within the definition of 4.9.1. But ASSes and the
general public can only make CAs aware of violations of Section 4.9.1,
making the CA aware that something has occurred. But I don't know if that
constitutes a request for revocation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160104/52666cc4/attachment-0003.html>

More information about the Public mailing list