[cabfpub] CA-Browser Forum conference call on January 7th - misissued certificates

Sigbjørn Vik sigbjorn at opera.com
Tue Jan 12 09:52:50 UTC 2016


On 11-Jan-16 17:50, Rick Andrews wrote:
> Sigbjørn,
> 
> You said " There are also no obligations on the CABForum - incidents at cabforum.org might bounce, or forward to some other organization." There are at least some obligations on the CABForum, to handle requests to subscribe to this list, filter spam, etc. To be effective, I imagine the list will allow anyone to post to it and anyone to subscribe to it. Maybe Wayne can comment on how much work that might be for him.

No, there are no *obligations* on the CABForum with this proposal. The
primary publication mechanism is not the CABForum, it is the location
stated in the CPS. CAs have an obligation to mail a link to the address.
The CABForum mailing list does not have to be active at all, it doesn't
change the proposal. Some work is of course needed to make the address
useful, and there is an *expectation* that the address will be useful,
at least most of the time.

If the CABForum should ever decide in the future that managing a mailing
list is outside of scope, it may choose to shut down the mailing list,
even without a ballot.
If the mailing list is buggy for a while, a CA doesn't get approval to
post, the administrator is on vacation for two weeks, or similar, this
is also not a major problem. CAs will post to their own location from
their CPS anyhow. The mailing list is a convenience. It allows for
simple aggregation of reports, and it provides a third party timestamp
to the publication of the report.


> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Sigbjørn Vik
> Sent: Monday, January 11, 2016 1:51 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] CA-Browser Forum conference call on January 7th - misissued certificates
> 
> On 08-Jan-16 22:54, Peter Bowen wrote:
> 
>>> This mostly seems like a way for CAs to avoid transparency; based on 
>>> the current practices with respect to disclosing intermediates, it's 
>>> clear that a number of CAs are having trouble following root program 
>>> requirements with respect to disclosure and documentation.
>>>
>>> I find it interesting that the CA/Browser Forum would have an entire 
>>> workgroup dedicated to information sharing, but then be opposed to 
>>> sharing information.
> 
> So how about this proposal:
> CAs need to list their location for incident reports in the CPS, as previously outlined. All reports are published there. Additionally, CAs must send a mail to incidents at cabforum.org, with a link, whenever there is a new report.
> 
> This means CAs are still in charge of their own reports and infrastructure, and it is not the CABForum which publishes reports. The ability is equal for all CAs. There are also no obligations on the CABForum - incidents at cabforum.org might bounce, or forward to some other organization. Yet there is a central location where all incidents are reported. It is important that the CABForum is made aware of misissuances and issues surrounding that, so it can respond with updating the BRs when relevant.
> 
> 


-- 
Sigbjørn Vik
Opera Software



More information about the Public mailing list