[cabfpub] CA-Browser Forum conference call on January 7th - misissued certificates

Ryan Sleevi sleevi at google.com
Fri Jan 8 22:20:01 UTC 2016

On Fri, Jan 8, 2016 at 1:54 PM, Peter Bowen <pzb at amzn.com> wrote:

> I expressed concerns on the call over the ability of all CAs to post to
> the public@ list.  I think sharing information is good, but would prefer
> that the venue for sharing be open to all CAs, whether they are members of
> the Forum or not.  While I appreciate that members can forward to the
> public list, relying upon this good faith does not seem like the right
> direction for a requirement.

Wouldn't something like an incidents at cabforum.org be able to sufficiently
meet that disclosure requirement, by allowing public readability while
private writability, and without the IPR concerns that posting to public@ ?

> Additionally adding a requirement for posting to a list to the BRs implies
> that it would fall within the scope of a BR audit.  Given the ballot
> proposes that any violation of the BRs is reportable and that the BRs
> require certificates to conform a specific profile of X.509 (which is
> almost a profile of PKIX/RFC 5280), I think there is also concern that it
> could result in lots of reports until CAs get their certificates to fully
> conformant to the profile or they would be subject to a qualified audit
> report and the resulting ramifications of a qualified report.

I'm not sure I understand why that's seen as a bad thing?

> Further, it seems that many CAs have been reporting these kind of issues
> privately to trust store operators and the preference is that trust store
> operators set the requirement to publicly disclose rather than the Forum
> advancing ahead of the trust store requirements.

Alternatively, wouldn't it be seen as preferable to avoid fragmenting a
variety of reporting requirements to trust stores to set a common baseline?
That's not to say trust stores won't require more, but certainly this seems
to set out a minimal common set.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160108/78d08697/attachment-0003.html>

More information about the Public mailing list