[cabfpub] Reform of section 9.16.3

[Kirk Hall]

Gerv, thanks for your suggestions on amending BR 9.16.3.  I want to go through the existing language and new language to make sure it accomplished what you want to accomplish.

Recap of Recent Events

First, a recap of recent events.  FirmaProfessional reported on June 29 that Spanish law required certain modifications to Profiles and addition of private extensions for certain Spanish civil servants, which apparently violated provisions of BR 7.1.4.2, but did not present any obvious security issues for users.  FirmaProfessional said the law had been repealed, but asked what if anything should be done about issued certificates.  I offered my personal opinion that the certs were validly issued because BR Sec. 8.1 requires “The CA SHALL at all times: 1. Issue Certificates and operate its PKI in accordance with all law applicable to its business and the Certificates it issues in every jurisdiction in which it operates, ***” and this Sec. 8 provision is just as binding on CAs as BR 7.1.4.2.

Effect of Current BR 9.16.3

This brings up the provisions of BR 9.16.3.

9.16.3. Severability
If a court or government body with jurisdiction over the activities covered by these Requirements determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Requirements accordingly.

Currently, BR 9.16.3 is extremely narrow – it only applies “If a court or government body with jurisdiction over the activities covered by these Requirements determines that the performance of any mandatory requirement is illegal ***” at which point the BR provision will be “reformed” to make it valid and legal.

That will never happen – courts and government bodies won’t spend their time judging whether or not some provision of the BRs is “illegal” – they will simply pass their own legal requirements that are mandatory on a CA, without commenting on or making any finding on the “legality” of any conflicting BR.  So the rest of the sentence, “*** then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal” will never happen either.

Instead, the CA will face two conflicting sets of requirements – the local law, and the BRs.  Both requirements have equal strength under the BRs (and in passing the related audits).  I suspect in most or all cases, the CA’s General Counsel will say “follow local law first.”

What that means is that in effect BR 9.16.3 will never come up or be relevant, and a CA will never be required under that provision to give notice to the Forum.  With your revisions (which are well worded), the CA will never have to list any “reformed” sections in its CPS because the BR sections will never be considered or reformed by “a court or government body with jurisdiction over the activities covered by these Requirements,” unless a CA files a lawsuit.  In the US, I don’t think the courts would entertain a lawsuit filed by the CA with no other parties involved, saying to the court “please reform this section of the BRs that is in conflict with the local law” – that’s not a function of the courts, which will just say “Follow the law.  You have no standing and no case.  Case dismissed.”  A CA can ask the government to change the local law so it’s no longer in conflict, but again, BR 9.16.3 would not apply if the law is changed, and no notice will ever be given to the Forum even with your proposed edits.

I think the current BR 9.16.3 was garbled from typical contract language, which usually says (in essence) “If any provision of this contract is in violation with local law, the offending language shall be deemed reformed in the minimum way possible so it complies with local law.”  In other words, contract language always yields to local law, and without filing a court or administrative case.  We could take that approach with the BRs (as the contract that is automatically reformed) if desired.  Browsers can always say “That reformed language presents a security risk – I will no longer trust the CA’s roots” if it wants through changes to its root program, as the browsers are not subject to the BRs.

Alternate Approach

If instead what you are after is a requirement that CAs report to the Forum all conflicts (including but not limited to local law that makes compliance with a BR “illegal”) between local law and a mandatory BR requirement, then describe what the CA is doing about the conflict and propose possible modifications to the BR in question to resolve the conflict, that would be easy to draft.  And the CA could also be required to include a description of the conflict and how the CA is responding (generally by following local law, I predict) in its CPS at Sec. 9.16.3 - that also would be easy to draft, and probably useful.

We could also make explicit what I said in the previous paragraph – amend the BRs so that if any mandatory BR is in conflict with local law, the BR is modified to the extent necessary not to be in conflict with local law.  In that case, the notice provisions would be very useful to tell users and browsers in what ways (and why) a CA is not complying with the BRs due to local law.

What would you think of this alternate approach to amending BR 9.16.3?


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Tuesday, July 19, 2016 5:32 AM
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] Reform of section 9.16.3

*** This seems like a good moment to revive the reform plan for 9.16.3, the text of which was helpfully contributed to by several people, including Kirk.

The final text we came up with after the last discussion was:

9.16.3. Severability
If a court or government body with jurisdiction over the activities covered by these Requirements determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum by sending a message to questions at cabforum.org<mailto:questions at cabforum.org> explaining the facts, circumstances, and law(s) involved, and receiving confirmation that it has been posted to the Public Mailing List and is indexed in the Public Mail Archives available at https://cabforum.org/pipermail/public/, so that the CA/Browser Forum may consider possible revisions to these Requirements accordingly.
A CA that issues a certificate under a requirement reformed through an action of a court or government body with jurisdiction SHALL list the reformed requirement in Section 9.16.3 of the CA’s CPS prior to issuing a certificate and include (in Section 9.16.3 of the CA’s CPS) a reference to the law or government order requiring a reformation under this section.


Any more comments before I prepare a ballot?

Gerv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160720/7e8923c0/attachment-0003.html>