[cabfpub] Misissuance of certificates

Dean Coclin Dean_Coclin at symantec.com
Thu Jan 28 03:35:31 UTC 2016

I think we still need to refine mis-issuance as defined below. It currently
presents a very onerous obligation that seems unwarranted in some cases. Let
me give an example:

Suppose my hypothetical business, "Dean's Wine Shop", submits a CSR with the
name mistyped as "Dean's WineShop". The CA receives the CSR, doesn't catch
the typo, and issues the certificate. Now I get it back, realize I made a
typo and inform the CA. The CA fixes it and immediately reissues the
certificate. Does this disclosure requirement suddenly kick in?  Did the CA
"mis-issue" the certificate?  I fail to see how the public is helped by this
information (unless we are turning this into some Consumer Reports rating to
show how many times CAs make typos). 

Perhaps I'm missing something and I'm happy to be enlightened.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Sigbjørn Vik
Sent: Wednesday, January 27, 2016 7:51 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

Hi all,

I think the discussion on this topic has been great, and the proposed ballot
has had several improvements as a result. I think it is time we put it to a
ballot. The text is as below, I am looking for two endorsers.

2.2.1 Notification of incorrect issuance

In the event that a CA issues a certificate in violation of these
requirements, the CA SHALL publicly disclose a report within one week of
becoming aware of the violation. A link to the report SHALL simultaneously
be sent to incidents at cabforum.org.

Effective 01-Jul-16, the CA SHALL in its Certificate Policy and/or
Certification Practice Statement announce where such reports will be found.
The location SHALL be as accessible as the CP/CPS.

The report SHALL publicize details about what the error was, what caused the
error, time of issuance and discovery, and public certificates for all
issuer certificates in the trust chain.

The report SHALL publicize the full public certificate, with the following
exception: For certificates issued prior to 01-Mar-16 the report MAY
truncate Subject Distinguished Name fields and subjectAltName extension
values to the registerable domain name.

The report SHALL be made available to the CAs Qualified Auditor for the next
Audit Report.

Sigbjørn Vik
Opera Software
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160127/07bb265d/attachment-0001.p7s>

More information about the Public mailing list