[cabfpub] Misissuance of certificates

Ryan Sleevi sleevi at google.com
Thu Jan 28 05:01:02 UTC 2016

On Jan 27, 2016 8:42 PM, "Peter Bowen" <pzb at amzn.com> wrote:

> Do you expect that auditors are finding violations but not reporting them?

Yes. I have, through sources of information, been informed of pre-audits in
which matters of non-compliance - which can sometimes involve sizable
corpuses of certificates or security risks - are quietly resolved by
revoking the certificates. That is, the CA (or auditor) detects
misissuances, and the CA revokes the existing certificates, updates their
control documentation, and the auditor gives them their seal of approval.

Similarly, I am aware of issues being privately reported to CAs that cause
the certificates to be revoked, but do not appear on subsequent audit
reports because they were not detected by the sample, and the CA is not, to
the best of my knowledge, obligated to report their failures to the auditor
during the period of time in which the auditor is there.

Providing transparency to such disclosures is a positive first step.
Similarly, if auditors were to more closely examine revocations, and at a
more thorough level, they would likely find evidence of a CA failing to
abide by the controls they provided to said auditor, and which may
highlight underlying systemic issues.

But certainly, there is "ghost misissuance" going on, where once revoked,
the CA believes they have demonstrated it was a non-issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160127/57b026f0/attachment-0003.html>

More information about the Public mailing list