[cabfpub] SAN private extensions pursuant specific SSL/EV Spanish ruled profile

Ryan Sleevi sleevi at google.com
Sat Jul 16 00:06:48 UTC 2016


On Fri, Jul 15, 2016 at 5:03 PM, Kirk Hall <Kirk.Hall at entrust.com> wrote:

> Why do browsers need this kind of information to be disclosed to them?
> What difference does it make to a browser?  Seems like the information is
> not directed at the browsers.
>

Could you re-read the message you're replying to and let me know what part
confused you? I discussed a very real, very practical concern - one that
we've discussed in person and on the list before.

Perhaps this is why it's important to keep good minutes, since we seem to
keep rehashing things.


> In any case, the existing BR and EVGL rules don’t require disclosure, they
> just require compliance with local law, which is appropriate.
>

Could you re-read the BRs and explain to me why you don't feel it requires
disclosure? In particular, please read the statement beginning with "The
parties involved SHALL notify the CA / Browser Forum". It would be useful
to understand why you don't believe this represents an obligation for
disclosure.


>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Friday, July 15, 2016 3:53 PM
> *To:* Kirk Hall <Kirk.Hall at entrust.com>
> *Cc:* Dean Coclin <Dean_Coclin at symantec.com>; Chema Lopez <
> clopez at firmaprofesional.com>; public at cabforum.org
> *Subject:* Re: [cabfpub] SAN private extensions pursuant specific SSL/EV
> Spanish ruled profile
>
>
>
>
>
>
>
> On Thu, Jul 14, 2016 at 11:08 AM, Kirk Hall <Kirk.Hall at entrust.com> wrote:
>
> To my mind, the provisions of BR Sec. 8 and 9.16.3, and EVGL Sec. 8.1,
> could be interpreted as allowing the laws and regulations of Spain
> concerning certificate profiles and content to override the requirements of
> the BRs and EVGL.
>
>
>
> Accordingly, there may be no need for Spanish CAs to do anything
> differently as to the earlier certs – they can assert to their auditors
> that Spanish law and regulation is allowed to control on this issue, and so
> they are in full compliance because of BR Sec. 8 and 9.16.3, and EVGL Sec.
> 8.1.  See below.
>
>
>
> However, as we discussed in person at the CA/B Forum meeting in
> Scottsdale, there is an obligation of CAs to disclose these regulations so
> that the Forum can be so informed.
>
>
>
> While Chema has now done this (and Inigo had previously), it can't be
> argued these are apriori conforming and in full compliance.
>
>
>
> I'm struggling to find this in the minutes, but if you'll recall, Gerv and
> I discussed various interpretations of this. For example, if a US CA were
> presented with an order to ignore domain validation and, say, issue a
> certificate for www.google.com, would the CA be argued to be in full
> compliance with the BRs for doing so? We discussed questions about what it
> meant for the Forum to be notified - is this a public mailing list, a
> management list, etc. We discussed the hypothetical concern about
> government-issued gag notices as well.
>
>
>
> Unfortunately, none of this was minuted. However, thankfully Gerv sent a
> public mail shortly thereafter, which at least helps me make sure I'm not
> misremembering things (although I could totally be missing where it appears
> on the minutes in
> https://cabforum.org/2016/02/17/2016-02-17-minutes-of-f2f-meeting-37/ ) -
> but you can read the thread at
> https://cabforum.org/pipermail/public/2016-April/007465.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160715/960fbba6/attachment-0003.html>


More information about the Public mailing list