[cabfpub] CA-Browser Forum conference call on January 7th - misissued certificates

Peter Bowen pzb at amzn.com
Fri Jan 8 21:54:48 UTC 2016


On Jan 8, 2016, at 10:00 AM, Ryan Sleevi <sleevi at google.com> wrote:
> On Fri, Jan 8, 2016 at 4:26 AM, Sigbjørn Vik <sigbjorn at opera.com <mailto:sigbjorn at opera.com>> wrote:
> There were some concerns at yesterday's meeting that this ballot would
> make the CA/B Forum into a publisher of information, not just a
> standards organization. An alternative to ensuring public notification
> through a CA/B Forum operated mailing list, would be that CAs put a link
> in their CPS to where they will publish such information.
> 
> The downside is that there would then be no central official list, but
> the information will still get out there. There might also be
> organizations which want to collect and publish a complete set from all CAs.
> 
> I hope this will allay concerns about the CA/B Forum being involved in
> the publications themselves.
> 
> This mostly seems like a way for CAs to avoid transparency; based on the current practices with respect to disclosing intermediates, it's clear that a number of CAs are having trouble following root program requirements with respect to disclosure and documentation.
> 
> I find it interesting that the CA/Browser Forum would have an entire workgroup dedicated to information sharing, but then be opposed to sharing information.

I expressed concerns on the call over the ability of all CAs to post to the public@ list.  I think sharing information is good, but would prefer that the venue for sharing be open to all CAs, whether they are members of the Forum or not.  While I appreciate that members can forward to the public list, relying upon this good faith does not seem like the right direction for a requirement.  

Additionally adding a requirement for posting to a list to the BRs implies that it would fall within the scope of a BR audit.  Given the ballot proposes that any violation of the BRs is reportable and that the BRs require certificates to conform a specific profile of X.509 (which is almost a profile of PKIX/RFC 5280), I think there is also concern that it could result in lots of reports until CAs get their certificates to fully conformant to the profile or they would be subject to a qualified audit report and the resulting ramifications of a qualified report.

Further, it seems that many CAs have been reporting these kind of issues privately to trust store operators and the preference is that trust store operators set the requirement to publicly disclose rather than the Forum advancing ahead of the trust store requirements.

Given all this, I think a reasonable next step would be for at least one trust store operator (even one who only maintains trust for EV) to set the reporting requirement and provide a forum to make the reports.

Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160108/b844da09/attachment-0003.html>


More information about the Public mailing list