[cabfpub] Reform of section 9.16.3

Moudrick M. Dadashov md at ssc.lt
Wed Jul 20 12:06:20 MST 2016 

Kirk, we support your proposal and maybe the first sentence of (1) 
should be slightly modified (replaced "order" wit "act" and added "to" 
before the trailing comma):

"In the event of a conflict between these Requirements and the laws or 
government act of any jurisdiction in which a CA operates or issues 
certificates to, <...>".

Thanks,

M.D.

On 7/20/2016 7:24 PM, Kirk Hall wrote:
>
> How about something like the following? It will let CAs comply with 
> applicable law (and avoid the current conflict between BR Sec. 8 and 
> other provisions), give immediate notice to users and browsers before 
> implementing a modification to the BRs or EVGL.  Of course, if a 
> browser believes the modification poses a security hazard, it can take 
> action on its own as it sees fit - including "breaking" certs with the 
> modification, treating the certs as untrusted, removing the CA's roots 
> from the browser root store, etc.  And if a CA modifies the 
> Requirements without telling everyone (i.e., without complying with BR 
> 9.16.3), that by itself is a separate WebTrust/ETSI audit breach.
>
> 9.16.3. Severability
>
> In the event of a conflict between these Requirements and the laws or 
> government order of any jurisdiction in which a CA operates or issues 
> certificates, a CA may modify such requirements to the minimum extent 
> necessary to make the requirements valid and legal in the 
> jurisdiction. This applies only to operations or certificate issuances 
> that are subject to the laws of that jurisdiction.  In such event, the 
> CA shall immediately (and prior to issuing a certificate under the 
> modified requirements):
>
> (1) Notify the CA/Browser Forum by sending a message to 
> questions at cabforum.org and receiving confirmation that it has been 
> posted to the Public Mailing List and is indexed in the Public Mail 
> Archives available at https://cabforum.org/pipermail/public/ (or such 
> other email addresses and links as the Forum may designate), and
>
> (2) Include in Section 9.16.3 of the CA’s CPS
>
> a detailed reference to the law or government order requiring a 
> modification of these Requirements under this section and the specific 
> modification of these Requirements implemented by the CA, so that the 
> CA/Browser Forum may consider possible revisions to these Requirements 
> accordingly.  Any modification of these Requirements must be 
> discontinued at such time as the laws or government order no longer 
> apply, and similar notice to the CA/Browser Forum and modifications to 
> the CA’s CPS must be made at that time.
>
> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Wednesday, July 20, 2016 2:01 AM
> To: Kirk Hall <Kirk.Hall at entrust.com>; 'CABFPub' <public at cabforum.org>
> Subject: Re: [cabfpub] Reform of section 9.16.3
>
> On 20/07/16 01:17, Kirk Hall wrote:
>
> > If instead what you are after is a requirement that CAs report to the
>
> > Forum all _conflicts_ (including but not limited to local law that
>
> > makes compliance with a BR “illegal”) between local law and a
>
> > mandatory BR requirement, then describe what the CA is doing about the
>
> > conflict and propose possible modifications to the BR in question to
>
> > resolve the conflict, that would be easy to draft.  And the CA could
>
> > also be required to include a description of the conflict and how the
>
> > CA is responding (generally by following local law, I predict) in its
>
> > CPS at Sec. 9.16.3 - that also would be easy to draft, and probably 
> useful.
>
> I follow your argument, and it makes sense to me. Yes, I think this is 
> what we want. If the CA does not follow, or "modifies", a section of 
> the BRs in order to comply with local law, they should explain what 
> they have done, and how they are trying to meet the spirit of that BR 
> requirement as much as possible. Invoking courts or local authorities 
> does indeed make little sense, as they are not going to specifically 
> rule on bits of the BRs.
>
> > What would you think of this alternate approach to amending BR 9.16.3?
>
> I'd be very pleased if you were to draft something, and then we could 
> throw it into the discussion.
>
> Gerv
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160720/5de2e7a8/attachment.html

More information about the Public mailing list