[cabfpub] Naming rules

Sun Mar 5 16:21:05 UTC 2017

> On Mar 4, 2017, at 8:09 PM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> 
> 
> 
> On Sat, Mar 4, 2017 at 5:55 PM, Kirk Hall via Public <public at cabforum.org> wrote:
> Li-Chun -- can you solve your problem simply by following the rules in BR 9.16.3?
> 
> 
> I appreciate you raising this, Kirk, but let's be very careful here with what you're proposing.
> 
> The existence of local law regarding the DIT does NOT apply for this section. This section ONLY applies to the extent that local laws governs ALL forms of certificate issuance.
> 
> Concretely, the existence of the US FPKI, for example, does not in and of itself allow a CA to violate the BRs in order to comply with the US FPKI, since there's no local law in the US, as you're no doubt aware, that requires all CAs conform to the US FPKI.

Ryan,

Maybe you are more familiar with the laws in Taiwan than I am, but I am not clear on whether this meets the bar for 9.16.3.  However I think that is really a moot point.  

If Chunghwa Telecom, as a result if its historical status as a part of the Directorate General of Telecommunications, has a need to issue certificates with names that do not follow the naming rules in the BRs, then Chunghwa can do so as long as (1) the CPS clearly states the naming rules and calls out these as not being conforming to the BRs and an exception to the rule that the BRs take priority in conflicts, (2) it is disclosed in the management assertion as specific non-compliance with the BRs, and (3) the auditor confirms all certificates issued followed the CPS naming rules and adds a qualification to the WebTrust for BR (and EV if applicable) opinion that Chunghwa didn’t meet this specific criteria.

> Peter's point is extremely relevant - the existence of alternative PKIs is something that a number of jurisdictions share

I think the Forum needs to consider whether we make the naming rules a little more modular — for example, 

“Each certificate issued by the CA MUST follow one of the following policies for form of Names in certificates: (a) the CA/Browser Forum policy on Names for Certificates, (b) section 3.1 of the X.509 Certificate Policy For The U.S. Federal PKI Common Policy Framework, or (c) section 3.1 of 政府機關公開金鑰基礎建設 憑證政策 (Certificate Policy for the Government Public Key Infrastructure).”

We can keep tacking on more options as members bring them forward.

> , but the extent of 9.16.3 ONLY applies to the set of mandates that apply to _all_ PKIs.
> 
> 9.16.3 is the "option of last resort" - and may still result in a CA being distrusted by browser programs, to be clear. 

As I’ve come to understand more about WebTrust and audits conducted per ISAE 3000, I don’t think 9.16.3 is really necessary at all.  It is nice to notify the Forum so we can consider changing requirements, but CA can just add a qualifying statement to their CPS and audit report to say “we meet all the requirements except X because local law 10 GSC 10.3.2 says we have to do Y, which conflicts with X.”

Maybe this isn’t a viable option for ETSI, but if it is, then I think there is a clear path forward.

Thanks,
Peter