[cabfpub] On the use of misuse - and the necessity to remove it

[Ryan Sleevi]

Certainly not trying to fight :) I'm assuming I'm missing something, so
just trying to make sure I understand the concerns to see how best to
address them.

How I'm thinking a CA "would" do this, in a way that makes it clear to
relying parties, is that 1.4.1 / 1.4.2 would dictate the
acceptable/unacceptable uses, 4.9.1.1 would (in order to maintain
consistency with the BRs) specifically enumerate each and every one of the
items in the BRs, verbatim.

Then, a CA could add additional reasons for revocation (e.g. 4.9.1.1 (16)
"The owner of the CA wakes up on the wrong side of the bed that morning"),
while the method that the BRs require that they MUST have - that is,
4.9.1.1 (4), would consistently refer to the definitions in 1.4.1 / 1.4.2
for all CAs.

I think we're actually in quite good agreement that CAs should be able to
dictate why they revoke, along with expecting subscribers be prepared for
that, but similarly, we want to make sure that CAs enumerate all 14 methods
listed in the BRs 4.9.1.1, and to be able to do that for 4.9.1.1 (4), we
need to define what that means consistently :)

On Fri, Jun 8, 2018 at 9:24 AM, Adriano Santoni <
adriano.santoni at staff.aruba.it> wrote:

> Well, §4.9 of the CPS is about certificate revocation, and here we are
> discussing about whether and when a CA reserves the right to revoke a
> "misused" certificate, whatever "misused" means (to a particular CA). So it
> seems to me that §4.9 - and particularly §4.9.1 (circumstances for
> revocation) - can be a suitable location in the CPS where to define
> "misuse". But I appreciate that §1.4 is also an appropriate place. At any
> rate, I am not going to fight over this.
>
> Il 08/06/2018 14:51, Ryan Sleevi ha scritto:
>
> I'm not sure - can you explain why you think putting it in 4.9 would be
> consistent with 3647?
>
> I think the goal is to have a consistent place that all Subscribers and
> Relying Parties can expect things. 3647 provides for that in Section 1.4.
> I'm not sure why we'd want to permit and/or - that seems like it creates
> more work for everyone?
>
> On Fri, Jun 8, 2018 at 8:07 AM, Adriano Santoni <
> adriano.santoni at staff.aruba.it> wrote:
>
>> More explicitly, with reference to RFC 3647, I'd suggest that a
>> description of what the CA means by "misuse" (or an equivalent term or
>> expression) should be found in §1.4 and/or §4.9 of the CA's CPS.
>>
>> Il 08/06/2018 13:52, Ryan Sleevi ha scritto:
>>
>> Could you expand a bit more?
>>
>> One of the concerns raised by multiple browsers, but particularly
>> articulated by Wayne, was that CAs are documenting things all over, and so
>> it's difficult for consumers to know where it will be documented. Do you
>> currently document it, and in a different section?
>>
>> It was an explicit goal of Ballot 217 to ensure that CAs are following
>> the 3647 format, and as Moudrick highlighted, that's already got a
>> dedicated section for that purpose. If you did want to place information in
>> additional places, that's certainly possible - but it means your example
>> 1.4.2 would say something like
>>
>> "Certificates issued under this policy shall not be used for hazardous
>> environments requiring fail-safe controls, including without limitation,
>> the design, construction, maintenance or operation of nuclear facilities,
>> aircraft navigation or communication systems, air traffic control, and life
>> support or weapons systems. Further, certificates issued under this policy
>> may not be used for the purposes defined in Appendix A"
>>
>> Does that sound... reasonable?
>>
>>
>> On Fri, Jun 8, 2018 at 7:37 AM, Adriano Santoni <
>> adriano.santoni at staff.aruba.it> wrote:
>>
>>> I'd prefer not to restrict the sections of the CA's CP/CPS where the
>>> definition of "misuse" (or "misused") is to be found:
>>>
>>> 4.9.1.1 (future)
>>> "4. The CA obtains evidence that the Certificate was misused, as defined
>>> by the CA's CP/CPS;"
>>>
>>>
>>> Il 08/06/2018 12:54, Ryan Sleevi ha scritto:
>>>
>>> 4.9.1.1 (future)
>>> "4. The CA obtains evidence that the Certificate was misused, as defined
>>> by Section 1.4.1 and 1.4.2 of the CA's CP/CPS;"
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180608/cf177c7f/attachment-0003.html>