[cabfpub] Misissuance of certificates

Peter Bowen pzb at amzn.com
Thu Jan 28 04:42:03 UTC 2016 

Dean,

I don’t think that this is much different than other things found in the current BRs.  For example, there is no definition for misuse in the BRs nor consensus on the meaning of “misuse”, yet there is a mandatory requirement on CAs: "The CA SHALL revoke a Certificate within 24 hours if […] [t]he CA obtains evidence that the Certificate was misused”.

Additionally, given that every CA has a yearly audit to assure compliance with the BRs, I would assume CAs and auditors already have a good understanding of what it means to violate the BRs.

Do you expect that auditors are finding violations but not reporting them?

Thanks,
Peter

> On Jan 27, 2016, at 7:35 PM, Dean Coclin <Dean_Coclin at symantec.com> wrote:
> 
> I think we still need to refine mis-issuance as defined below. It currently
> presents a very onerous obligation that seems unwarranted in some cases. Let
> me give an example:
> 
> Suppose my hypothetical business, "Dean's Wine Shop", submits a CSR with the
> name mistyped as "Dean's WineShop". The CA receives the CSR, doesn't catch
> the typo, and issues the certificate. Now I get it back, realize I made a
> typo and inform the CA. The CA fixes it and immediately reissues the
> certificate. Does this disclosure requirement suddenly kick in?  Did the CA
> "mis-issue" the certificate?  I fail to see how the public is helped by this
> information (unless we are turning this into some Consumer Reports rating to
> show how many times CAs make typos). 
> 
> Perhaps I'm missing something and I'm happy to be enlightened.
> 
> Thanks
> Dean
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Sigbjørn Vik
> Sent: Wednesday, January 27, 2016 7:51 PM
> To: public at cabforum.org
> Subject: Re: [cabfpub] Misissuance of certificates
> 
> Hi all,
> 
> I think the discussion on this topic has been great, and the proposed ballot
> has had several improvements as a result. I think it is time we put it to a
> ballot. The text is as below, I am looking for two endorsers.
> 
> 
> 2.2.1 Notification of incorrect issuance
> 
> In the event that a CA issues a certificate in violation of these
> requirements, the CA SHALL publicly disclose a report within one week of
> becoming aware of the violation. A link to the report SHALL simultaneously
> be sent to incidents at cabforum.org.
> 
> Effective 01-Jul-16, the CA SHALL in its Certificate Policy and/or
> Certification Practice Statement announce where such reports will be found.
> The location SHALL be as accessible as the CP/CPS.
> 
> The report SHALL publicize details about what the error was, what caused the
> error, time of issuance and discovery, and public certificates for all
> issuer certificates in the trust chain.
> 
> The report SHALL publicize the full public certificate, with the following
> exception: For certificates issued prior to 01-Mar-16 the report MAY
> truncate Subject Distinguished Name fields and subjectAltName extension
> values to the registerable domain name.
> 
> The report SHALL be made available to the CAs Qualified Auditor for the next
> Audit Report.
> 
> 
> --
> Sigbjørn Vik
> Opera Software
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list