[cabfpub] Naming rules

[Ryan Sleevi]

On Sun, Mar 5, 2017 at 11:21 AM, Peter Bowen <pzb at amzn.com> wrote:

> Maybe you are more familiar with the laws in Taiwan than I am, but I am
> not clear on whether this meets the bar for 9.16.3.  However I think that
> is really a moot point.
>
> If Chunghwa Telecom, as a result if its historical status as a part of the
> Directorate General of Telecommunications, has a need to issue certificates
> with names that do not follow the naming rules in the BRs, then Chunghwa
> can do so as long as (1) the CPS clearly states the naming rules and calls
> out these as not being conforming to the BRs and an exception to the rule
> that the BRs take priority in conflicts, (2) it is disclosed in the
> management assertion as specific non-compliance with the BRs, and (3) the
> auditor confirms all certificates issued followed the CPS naming rules and
> adds a qualification to the WebTrust for BR (and EV if applicable) opinion
> that Chunghwa didn’t meet this specific criteria.
>

You are correct that a qualification is expected in the absence of 9.16.3,
and the presence of a /intentional/ qualification not previously
coordinated with/disclosed browsers is a red flag.

However, I think it's important to highlight, if only for the benefit of
members who seem to believe that 9.16.3 is relevant here, that 9.16.3 is
far more restrictive than what they've stated on the list.

I think it's crucially important to call out these misunderstandings so
that we can avoid any misinterpretations that may be offered by some
members as a way to induce other CAs into qualified audits.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170305/9aaf5f17/attachment-0003.html>