[cabfpub] Reform of section 9.16.3

[Kirk Hall]

How about something like the following?  It will let CAs comply with applicable law (and avoid the current conflict between BR Sec. 8 and other provisions), give immediate notice to users and browsers before implementing a modification to the BRs or EVGL.  Of course, if a browser believes the modification poses a security hazard, it can take action on its own as it sees fit - including "breaking" certs with the modification, treating the certs as untrusted, removing the CA's roots from the browser root store, etc.  And if a CA modifies the Requirements without telling everyone (i.e., without complying with BR 9.16.3), that by itself is a separate WebTrust/ETSI audit breach.



9.16.3. Severability



In the event of a conflict between these Requirements and the laws or government order of any jurisdiction in which a CA operates or issues certificates, a CA may modify such requirements to the minimum extent necessary to make the requirements valid and legal in the jurisdiction. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction.  In such event, the CA shall immediately (and prior to issuing a certificate under the modified requirements):



(1)         Notify the CA/Browser Forum by sending a message to questions at cabforum.org and receiving confirmation that it has been posted to the Public Mailing List and is indexed in the Public Mail Archives available at https://cabforum.org/pipermail/public/ (or such other email addresses and links as the Forum may designate), and



(2)         Include in Section 9.16.3 of the CA’s CPS



a detailed reference to the law or government order requiring a modification of these Requirements under this section and the specific modification of these Requirements implemented by the CA, so that the CA/Browser Forum may consider possible revisions to these Requirements accordingly.  Any modification of these Requirements must be discontinued at such time as the laws or government order no longer apply, and similar notice to the CA/Browser Forum and modifications to the CA’s CPS must be made at that time.







-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Wednesday, July 20, 2016 2:01 AM
To: Kirk Hall <Kirk.Hall at entrust.com>; 'CABFPub' <public at cabforum.org>
Subject: Re: [cabfpub] Reform of section 9.16.3



On 20/07/16 01:17, Kirk Hall wrote:

> If instead what you are after is a requirement that CAs report to the

> Forum all _conflicts_ (including but not limited to local law that

> makes compliance with a BR “illegal”) between local law and a

> mandatory BR requirement, then describe what the CA is doing about the

> conflict and propose possible modifications to the BR in question to

> resolve the conflict, that would be easy to draft.  And the CA could

> also be required to include a description of the conflict and how the

> CA is responding (generally by following local law, I predict) in its

> CPS at Sec. 9.16.3 - that also would be easy to draft, and probably useful.



I follow your argument, and it makes sense to me. Yes, I think this is what we want. If the CA does not follow, or "modifies", a section of the BRs in order to comply with local law, they should explain what they have done, and how they are trying to meet the spirit of that BR requirement as much as possible. Invoking courts or local authorities does indeed make little sense, as they are not going to specifically rule on bits of the BRs.



> What would you think of this alternate approach to amending BR 9.16.3?



I'd be very pleased if you were to draft something, and then we could throw it into the discussion.



Gerv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160720/59b41af4/attachment.html