[cabfpub] CA-Browser Forum conference call on January 7th - misissued certificates

Sigbjørn Vik sigbjorn at opera.com
Mon Jan 11 09:51:04 UTC 2016

On 08-Jan-16 22:54, Peter Bowen wrote:

>> This mostly seems like a way for CAs to avoid transparency; based on
>> the current practices with respect to disclosing intermediates, it's
>> clear that a number of CAs are having trouble following root program
>> requirements with respect to disclosure and documentation.
>> I find it interesting that the CA/Browser Forum would have an entire
>> workgroup dedicated to information sharing, but then be opposed to
>> sharing information.

So how about this proposal:
CAs need to list their location for incident reports in the CPS, as
previously outlined. All reports are published there. Additionally, CAs
must send a mail to incidents at cabforum.org, with a link, whenever there
is a new report.

This means CAs are still in charge of their own reports and
infrastructure, and it is not the CABForum which publishes reports. The
ability is equal for all CAs. There are also no obligations on the
CABForum - incidents at cabforum.org might bounce, or forward to some other
organization. Yet there is a central location where all incidents are
reported. It is important that the CABForum is made aware of
misissuances and issues surrounding that, so it can respond with
updating the BRs when relevant.

> Additionally adding a requirement for posting to a list to the BRs
> implies that it would fall within the scope of a BR audit.  Given the
> ballot proposes that any violation of the BRs is reportable and that the
> BRs require certificates to conform a specific profile of X.509 (which
> is almost a profile of PKIX/RFC 5280), I think there is also concern
> that it could result in lots of reports until CAs get their certificates
> to fully conformant to the profile or they would be subject to a
> qualified audit report and the resulting ramifications of a qualified
> report.

This is part of the point of the ballot. Note that in no cases will this
requirement cause a CA to get a qualified report. This requirement only
kicks in if the CA already had a misissuance, and already violated the BRs.

Sigbjørn Vik
Opera Software

More information about the Public mailing list