[cabfpub] CA-Browser Forum conference call on January 7th - misissued certificates

Eric Mill eric at konklone.com
Fri Jan 8 22:33:06 UTC 2016

On Fri, Jan 8, 2016 at 5:20 PM, Ryan Sleevi <sleevi at google.com> wrote:

> On Fri, Jan 8, 2016 at 1:54 PM, Peter Bowen <pzb at amzn.com> wrote:
>> I expressed concerns on the call over the ability of all CAs to post to
>> the public@ list.  I think sharing information is good, but would prefer
>> that the venue for sharing be open to all CAs, whether they are members of
>> the Forum or not.  While I appreciate that members can forward to the
>> public list, relying upon this good faith does not seem like the right
>> direction for a requirement.
> Wouldn't something like an incidents at cabforum.org be able to sufficiently
> meet that disclosure requirement, by allowing public readability while
> private writability, and without the IPR concerns that posting to public@
> ?

I've also proposed in the Policy Review Working Group that section 9.16.3's
severability exceptions -- where a CA cannot follow some aspect of the
Baseline Requirements due to overriding local law -- be reported publicly,
since they represent gaps in BR compliance.

Since I think BR exceptions should be managed by the body that manages the
BRs, an email alias like incidents at cabforum.org or notice at cabforum.org or
something, unencumbered by any legal agreements and with write access given
to anyone who needs it, would also help serve that purpose.

> Further, it seems that many CAs have been reporting these kind of issues
>> privately to trust store operators and the preference is that trust store
>> operators set the requirement to publicly disclose rather than the Forum
>> advancing ahead of the trust store requirements.
> Alternatively, wouldn't it be seen as preferable to avoid fragmenting a
> variety of reporting requirements to trust stores to set a common baseline?
> That's not to say trust stores won't require more, but certainly this seems
> to set out a minimal common set.

Yes, and more specifically, I don't think the BRs or a CABF ballot should
direct CAs to report issues to a particular trust store operator.

I don't totally grok the concern about the CABF becoming a sharer of
information. It's already the canonical reference for its own output, via
web and email, so the hosting responsibility and mechanics are already
present. It's not a proposal for the CABF to run its own official CT log or

Presumably, misissuances are rare and getting rarer, and to the extent
misissuance poses an administrative burden on the CABF, all the more
incentive to rarefy them further.

-- Eric

> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160108/38452f01/attachment-0003.html>

More information about the Public mailing list