[cabfpub] Ballot 159 - Amend Section 4 of Baseline Requirements
Sigbjørn Vik
sigbjorn at opera.com
Thu Jan 7 08:20:13 UTC 2016
I prefer the latter version ("See section 9.6.3, provisions 2. and 4."),
which avoids this exact problem of trying to condense down the language
in 9.6.3 to a single sentence. Your point also makes it clear that
attempts to write a short version of that is bound with complications.
On 06-Jan-16 19:33, Rick Andrews wrote:
> Sigbjørn,
>
> I don't see how one would audit that a CA ensured that Subscribers committed
> to those sections. How would a CA know that Subscribers "properly protect at
> all times the Private
> Key" and "use the Certificate solely in compliance with all applicable
> laws"?
>
> The BRs currently require that CAs "implement a process to ensure that each
> Subscriber or Terms of Use Agreement is legally enforceable against the
> Applicant". That's auditable.
>
> -Rick
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Sigbjørn Vik
> Sent: Wednesday, January 06, 2016 1:13 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] Ballot 159 - Amend Section 4 of Baseline Requirements
>
> In this case, perhaps the language should match the language used in section
> 9.6.3? In general, the BRs impose restrictions on CAs, not subscribers, and
> there are no effects if subscribers flaunt the BRs.
> Stating "subscribers SHALL" does thus not achieve the intended purpose.
> Perhaps language like the following instead:
>
> "The CA SHALL ensure that subscribers commit to subsections 2. and 4. of
> section 9.6.3."
>
> Although in that case, why not simply the following instead:
>
> "See section 9.6.3, provisions 2. and 4."
>
>
> On 05-Jan-16 17:02, Ben Wilson wrote:
>> It should have said:
>>
>>
>>
>> “3) In Section 4.5.1 of the Baseline Requirements, add "Subscribers
>> SHALL comply with subsections 2. and 4. of Section 9.6.3.”
>>
>>
>>
>> Those two subsections are in the Subscriber Agreement requirements.
>> Subsection 2. says, “Protection of Private Key: An obligation and
>> warranty by the Applicant to take all reasonable measures to maintain
>> sole control of, keep confidential, and properly protect at all times
>> the Private Key that corresponds to the Public Key to be included in
>> the requested Certificate(s) (and any associated activation data or
>> device, e.g. password or token);” Subsection 4. says, “Use of
>> Certificate: An obligation and warranty to install the Certificate
>> only on servers that are accessible at the subjectAltName(s) listed in
>> the Certificate, and to use the Certificate solely in compliance with
>> all applicable laws and solely in accordance with the Subscriber or Terms
> of Use Agreement;”
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *From:* Rick Andrews [mailto:Rick_Andrews at symantec.com]
>> *Sent:* Monday, January 4, 2016 6:45 PM
>> *To:* Ben Wilson <ben.wilson at digicert.com>; CABFPub
>> <public at cabforum.org>
>> *Subject:* RE: Ballot 159 - Amend Section 4 of Baseline Requirements
>>
>>
>>
>> Ben,
>>
>>
>>
>> “3) In Section 4.5.1 of the Baseline Requirements, add "Subscribers
>> SHALL comply with Sections 4.9.3(2) and 4.9.3(4)."” I don’t see (2)
>> and
>> (4) in 4.9.3. Is that the right Section number?
>>
>>
>>
>> -Rick
>>
>>
>>
>> *From:*public-bounces at cabforum.org
>> <mailto:public-bounces at cabforum.org>
>> [mailto:public-bounces at cabforum.org] *On Behalf Of *Ben Wilson
>> *Sent:* Monday, January 04, 2016 8:04 AM
>> *To:* CABFPub
>> *Subject:* [cabfpub] Ballot 159 - Amend Section 4 of Baseline
>> Requirements
>>
>>
>>
>> Ballot 159 - Amend Section 4 of Baseline Requirements
>>
>>
>>
>> The Policy Review Working Group has reviewed Section 4 of the Baseline
>> Requirements and, as a result, suggests that certain changes be made.
>> Based on the lack of urgency for these changes and other
>> considerations, the Working Group recommends that, if any compliance
>> is required, Certification Authorities be given until January 1, 2017
>> before they are required to comply. Therefore, the following motion
>> has been proposed by Ben Wilson of DigiCert and endorsed by Tim
>> Hollebeek of Trustwave and Kirk Hall of TrendMicro:
>>
>>
>>
>> -- MOTION BEGINS --
>>
>>
>>
>> Effective immediately
>>
>>
>>
>> 1) In Sections 4.2.3, 4.3.2, 4.4.1, 4.4.2, 4.4.3, 4.5.2, 4.6.1, 4.6.2,
>> 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7., 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5,
>> 4.7.6, 4.7.7, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.8.7, 4.9.4,
>> 4.9.8, 4.10.3, 4.11, and 4.12.1 of the Baseline Requirements, add "No
>> stipulation."
>>
>>
>>
>> 2) In Sections 4.9.14, 4.9.15, 4.9.16, and 4.12.2 of the Baseline
>> Requirements, add "Not applicable."
>>
>>
>>
>> 3) In Section 4.5.1 of the Baseline Requirements, add "Subscribers
>> SHALL comply with Sections 4.9.3(2) and 4.9.3(4)."
>>
>>
>>
>> 4) In Section 4.9.2 of the Baseline Requirements, add "The Subscriber
>> can initiate revocation. Other parties who can request revocation
>> include: the general public,
>>
>> the press/news media, or an Application Software Provider.
>>
>> See also Section 3.4."
>>
>>
>>
>> 5) In Section 4.9.6 of the Baseline Requirements, add "No stipulation.
>>
>> (Note: Following certificate issuance, a certificate may be revoked
>> for reasons stated in Section 4.9.1.
>>
>> Therefore, relying parties should check the revocation status of all
>> certificates that contain a CDP or OCSP
>>
>> pointer.)"
>>
>>
>>
>> To review these proposed changes in the Baseline Requirements, see the
>> attached PDF document titled, “Ballot- 159 Redlining of Section 4 of BRs”
> .
>>
>>
>>
>> -- MOTION ENDS --
>>
>>
>>
>> The review period for this ballot shall commence at 2200 UTC on 4
>> January 2016, and will close at 2200 UTC on 11 January 2016. Unless
>> the motion is withdrawn during the review period, the voting period
>> will start immediately thereafter and will close at 2200 UTC on 18
>> January 2016. Votes must be cast by posting an on-list reply to this
> thread.
>>
>>
>>
>> A vote in favor of the motion must indicate a clear 'yes' in the
>> response. A vote against must indicate a clear 'no' in the response. A
>> vote to abstain must indicate a clear 'abstain' in the response.
>> Unclear responses will not be counted. The latest vote received from
>> any representative of a voting member before the close of the voting
>> period will be counted. Voting members are listed here:
>> https://cabforum.org/members/
>>
>>
>>
>> In order for the motion to be adopted, two thirds or more of the votes
>> cast by members in the CA category and greater than 50% of the votes
>> cast by members in the browser category must be in favor. Quorum is
>> currently nine (9) members– at least nine members must participate in
>> the ballot, either by voting in favor, voting against, or abstaining.
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>
>
> --
> Sigbjørn Vik
> Opera Software
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
--
Sigbjørn Vik
Opera Software
More information about the Public
mailing list