[cabfpub] Require commonName in Root and Intermediate Certificates ballot draft (2)

Ryan Sleevi sleevi at google.com
Mon Apr 17 09:56:48 MST 2017


On Mon, Apr 17, 2017 at 12:43 PM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
wrote:

>
> I remember this being discussed at the Bilbao meeting and it was also in
> the published minutes
> <https://cabforum.org/2016/02/17/2016-02-17-minutes-of-f2f-meeting-37/#Compliance-Assessment-Coordination-with-auditors-and-browsers>.
> It was a very interesting discussion and the minutes describe the
> conversation well.
>
> Perhaps this is not the case with every auditor but there might be
> auditors out there that actually try to verify adherence to section 2.2
> that CAs must be compliant with the latest version of the BRs. So, I think
> adding reasonable effective dates, solves this problem.
>

I'm afraid we may be talking past eachother.

A CA MUST adhere to the latest published version of the BRs. That is not in
question.

This ONLY applies to new certificates the CA is issuing since those BRs
came in effect. Previous certificates they issued were governed by the
previous versions of the BRs (if after the BRs effective date) at the time
_those_ certificates were issued.

So this requirement has a clear effective date - for any new certificates
issued. Much like the BRs cannot retroactively suggest something was not a
BR violation then, and instead only state it's not a BR violation going
further, the BRs do not retroactively state something was a BR violation.

Any issue that would arise from this is due to an auditor inappropriately
applying the criteria. That's not something to paper over with an effective
date - that's something to bring to the forefront.

It does not sound like you're aware of any auditor doing so. I understand
and appreciate your concern for the possibility, but absent that, and given
the clear statements from auditors in the past regarding how they conduct
their audits, I do not believe this is a reasonable or rational concern. I
hope I've demonstrated why, if it does arise, it's something that we
absolutely do want to highlight, so that the auditor, not the CA, can be
better instructed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170417/c7b7a09c/attachment.html>


More information about the Public mailing list