[cabfpub] On the use of misuse - and the necessity to remove it

philliph at comodo.com philliph at comodo.com
Fri Jun 8 06:16:33 MST 2018


I remember when malware advertising first appeared. Users were very clear that they had never asked for anything of the sort and didn’t want the programs on their machines. The ‘anti-Virus’ providers spent three years with their fingers in their ears telling their customers that it was none of their business because the programs didn’t fit their narrow definition of a virus. 

From a drafting point of view it is useful to put all the definitions in one place. But as Gödel demonstrated, there are limits to the power of logic. Attempting to enumerate a complete set of all possible types of misuse seems unwise to me.

It is very easy to lose sight of the fact that the Web was made for people to use. The peculiar certitudes of the tech industry in general and Silicon Valley in particular are entirely alien to most Web users who simply want to get something done.


What counts as ‘misuse’ in the WebPKI is going to depend on what use applications make of that data and that is something that is outside the control of the CABForum. 

To date, the chief concern has been to defeat specific threats; malware, phishing, etc. But there is also a class of meta-threat where the attacker’s objective is to defeat security controls in the browser. We have not seen many attacks of that sort to date because very few browsers implement such controls. But it is something I expect we will see in the future.


> On Jun 8, 2018, at 8:07 AM, Adriano Santoni via Public <public at cabforum.org> wrote:
> 
> More explicitly, with reference to RFC 3647, I'd suggest that a description of what the CA means by "misuse" (or an equivalent term or expression) should be found in §1.4 and/or §4.9 of the CA's CPS.
> 
> Il 08/06/2018 13:52, Ryan Sleevi ha scritto:
>> Could you expand a bit more?
>> 
>> One of the concerns raised by multiple browsers, but particularly articulated by Wayne, was that CAs are documenting things all over, and so it's difficult for consumers to know where it will be documented. Do you currently document it, and in a different section?
>> 
>> It was an explicit goal of Ballot 217 to ensure that CAs are following the 3647 format, and as Moudrick highlighted, that's already got a dedicated section for that purpose. If you did want to place information in additional places, that's certainly possible - but it means your example 1.4.2 would say something like
>> 
>> "Certificates issued under this policy shall not be used for hazardous environments requiring fail-safe controls, including without limitation, the design, construction, maintenance or operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, and life support or weapons systems. Further, certificates issued under this policy may not be used for the purposes defined in Appendix A"
>> 
>> Does that sound... reasonable?
>> 
>> 
>> On Fri, Jun 8, 2018 at 7:37 AM, Adriano Santoni <adriano.santoni at staff.aruba.it> wrote:
>> I'd prefer not to restrict the sections of the CA's CP/CPS where the definition of "misuse" (or "misused") is to be found:
>> 
>> 4.9.1.1 (future)
>> "4. The CA obtains evidence that the Certificate was misused, as defined by the CA's CP/CPS;"
>> 
>> 
>> Il 08/06/2018 12:54, Ryan Sleevi ha scritto:
>>> 4.9.1.1 (future)
>>> "4. The CA obtains evidence that the Certificate was misused, as defined by Section 1.4.1 and 1.4.2 of the CA's CP/CPS;"
>> 
>> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list