[cabfpub] Misissuance of certificates

Sigbjørn Vik sigbjorn at opera.com
Wed Jan 13 14:02:56 UTC 2016 

On 13-Jan-16 12:14, Eneli Kirme wrote:
> Hello, 
> 
> We would like to express concerns that the proposed language in the ballot introduces a much broader reporting obligations than what can be considered as “misissuance”.

Could you explain what kind of language would fix the perceived issue?
The proposed language is "CA issues a certificate in violation of these
requirements", I don't understand how correctly issued certificates
would be covered by this language.

> For example - BR 4.9.9 prohibits use of OCSP responder that is conformant to RFC 6960 and BR 6.1.5 prohibits to use all ECC curves except NIST ones. So any subscriber certificate with 512-bit Brainpool key for which an OCSP response is signed with SHA-2 is a violation of BR-s and has to be disclosed?
> There’s also been discussion that malformed certificates are in scope.

If a certificate is issued in violation of the BRs, then it is to be
reported.

If CAs start issuing public Brainpool certificates before Brainpool has
been approved for public certificates, then it would be very useful for
the community to know about it. If there are lots of malformed
certificates in circulation, it would be very useful for the community
to know about it.

> The problem with these is that not all technical errors have an impact on security and some of them can go unnoticed for quite some time and involve large amounts of certificates. 

I am not sure I understand why it is a problem that some are not
security issues, nor that it is a problem that some may go unnoticed for
some time?

> Putting all of them onto the Internet without unified means for automated querying would lower the value of such reporting.

So you are concerned about the ballot because there is no unified
reporting requirement? Getting the information out there is the first
step. Once it is all in the public domain, it is trivial for someone to
collect and arrange it in other manners. That this ballot doesn't fix
all problems shouldn't stop it from fixing some.

If wanted later, with some experience, a unified reporting scheme can be
discussed in a later ballot.

> Our concern is also that the proposed ballot is somewhat unclear whether it applies only to certificates that are in scope of BR-s or all other types as well. If the latter is true, we might be facing several issues of disclosing personal information and violating local or other regulations with such disclosure.

This ballot would be part of the BRs, and the BRs only apply to
certificates in scope of the BRs.

Certificates not in scope of the BRs cannot be issued in violation of
requirements in the BRs, so even if this ballot would not be part of the
BRs, it would still not apply to certificates not governed by the BRs.

>> On 05 Jan 2016, at 17:19, Sigbjørn Vik <sigbjorn at opera.com> wrote:
>>
>> How about the following:
>>
>> public at cabforum.org SHALL be informed about the report. If the CA cannot
>> post directly, it SHALL inform questions at cabforum.org, and the CA/B
>> Forum chair SHALL forward to the list.
>>
>> On 05-Jan-16 16:10, Dean Coclin wrote:
>>> Commenting on this part: 
>>>
>>> "public at cabforum.org  SHALL be informed about the report, if the CA cannot
>>> post directly, it SHALL inform the CA/B Forum chair who SHALL inform the
>>> list."
>>>
>>> If a CA is not a member of the forum, they won't have public list posting
>>> privileges and may not know the email address of the Chair/Vice Chair (they
>>> are not posted on our website). Hence I would suggest they email the
>>> "questions" list
>>>
>>> Dean
>>>
>>> -----Original Message-----
>>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
>>> Behalf Of Sigbjørn Vik
>>> Sent: Friday, December 18, 2015 9:08 AM
>>> To: public at cabforum.org
>>> Subject: Re: [cabfpub] Misissuance of certificates
>>>
>>> Hi,
>>>
>>> The discussion on this topic seems to have died down, I hope that means we
>>> can proceed to a ballot. Anyone willing to endorse?
>>>
>>> The suggested exception for constrained intermediates did not seem to solve
>>> the problem it was intended to solve, and nobody spoke up for it, so I have
>>> removed it. The text would then be:
>>>
>>>
>>> 2.2.1 Information of incorrect issuance
>>>
>>> In the event that a CA issues a certificate in violation of these
>>> requirements, the CA SHALL publicly disclose a report within one week of
>>> becoming aware of the violation.
>>>
>>> public at cabforum.org SHALL be informed about the report, if the CA cannot
>>> post directly, it SHALL inform the CA/B Forum chair who SHALL inform the
>>> list.
>>>
>>> The report SHALL publicize details about what the error was, what caused the
>>> error, time of issuance and discovery, and public certificates for all
>>> issuer certificates in the trust chain.
>>>
>>> The report SHALL publicize the full public certificate, with the following
>>> exception: For certificates issued prior to 01-Mar-16 the report MAY leave
>>> out Subject Distinguished Name fields and subjectAltName extension values.
>>>
>>> The report SHALL be made available to the CAs Qualified Auditor for the next
>>> Audit Report.
>>>
>>> --
>>> Sigbjørn Vik
>>> Opera Software
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
>>>
>>
>>
>> -- 
>> Sigbjørn Vik
>> Opera Software
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 


-- 
Sigbjørn Vik
Opera Software

More information about the Public mailing list