[cabfpub] On the use of misuse - and the necessity to remove it
adriano.santoni at staff.aruba.it
Fri Jun 8 13:56:46 UTC 2018
Yes, that's what I also had in mind.
Il 08/06/2018 15:28, Ryan Sleevi ha scritto:
> Certainly not trying to fight :) I'm assuming I'm missing something,
> so just trying to make sure I understand the concerns to see how best
> to address them.
> How I'm thinking a CA "would" do this, in a way that makes it clear to
> relying parties, is that 1.4.1 / 1.4.2 would dictate the
> acceptable/unacceptable uses, 18.104.22.168 would (in order to maintain
> consistency with the BRs) specifically enumerate each and every one of
> the items in the BRs, verbatim.
> Then, a CA could add additional reasons for revocation (e.g. 22.214.171.124
> (16) "The owner of the CA wakes up on the wrong side of the bed that
> morning"), while the method that the BRs require that they MUST have -
> that is, 126.96.36.199 (4), would consistently refer to the definitions in
> 1.4.1 / 1.4.2 for all CAs.
> I think we're actually in quite good agreement that CAs should be able
> to dictate why they revoke, along with expecting subscribers be
> prepared for that, but similarly, we want to make sure that CAs
> enumerate all 14 methods listed in the BRs 188.8.131.52, and to be able to
> do that for 184.108.40.206 (4), we need to define what that means consistently :)
> On Fri, Jun 8, 2018 at 9:24 AM, Adriano Santoni
> <adriano.santoni at staff.aruba.it
> <mailto:adriano.santoni at staff.aruba.it>> wrote:
> Well, §4.9 of the CPS is about certificate revocation, and here we
> are discussing about whether and when a CA reserves the right to
> revoke a "misused" certificate, whatever "misused" means (to a
> particular CA). So it seems to me that §4.9 - and particularly
> §4.9.1 (circumstances for revocation) - can be a suitable location
> in the CPS where to define "misuse". But I appreciate that §1.4 is
> also an appropriate place. At any rate, I am not going to fight
> over this.
> Il 08/06/2018 14:51, Ryan Sleevi ha scritto:
>> I'm not sure - can you explain why you think putting it in 4.9
>> would be consistent with 3647?
>> I think the goal is to have a consistent place that all
>> Subscribers and Relying Parties can expect things. 3647 provides
>> for that in Section 1.4. I'm not sure why we'd want to permit
>> and/or - that seems like it creates more work for everyone?
>> On Fri, Jun 8, 2018 at 8:07 AM, Adriano Santoni
>> <adriano.santoni at staff.aruba.it
>> <mailto:adriano.santoni at staff.aruba.it>> wrote:
>> More explicitly, with reference to RFC 3647, I'd suggest that
>> a description of what the CA means by "misuse" (or an
>> equivalent term or expression) should be found in §1.4 and/or
>> §4.9 of the CA's CPS.
>> Il 08/06/2018 13:52, Ryan Sleevi ha scritto:
>>> Could you expand a bit more?
>>> One of the concerns raised by multiple browsers, but
>>> particularly articulated by Wayne, was that CAs are
>>> documenting things all over, and so it's difficult for
>>> consumers to know where it will be documented. Do you
>>> currently document it, and in a different section?
>>> It was an explicit goal of Ballot 217 to ensure that CAs are
>>> following the 3647 format, and as Moudrick highlighted,
>>> that's already got a dedicated section for that purpose. If
>>> you did want to place information in additional places,
>>> that's certainly possible - but it means your example 1.4.2
>>> would say something like
>>> "Certificates issued under this policy shall not be used
>>> for hazardous environments requiring fail-safe controls,
>>> including without limitation, the design, construction,
>>> maintenance or operation of nuclear facilities, aircraft
>>> navigation or communication systems, air traffic control,
>>> and life support or weapons systems. Further, certificates
>>> issued under this policy may not be used for the purposes
>>> defined in Appendix A"
>>> Does that sound... reasonable?
>>> On Fri, Jun 8, 2018 at 7:37 AM, Adriano Santoni
>>> <adriano.santoni at staff.aruba.it
>>> <mailto:adriano.santoni at staff.aruba.it>> wrote:
>>> I'd prefer not to restrict the sections of the CA's
>>> CP/CPS where the definition of "misuse" (or "misused")
>>> is to be found:
>>> 220.127.116.11 (future)
>>> "4. The CA obtains evidence that the Certificate was
>>> misused, as defined by the CA's CP/CPS;"
>>> Il 08/06/2018 12:54, Ryan Sleevi ha scritto:
>>>> 18.104.22.168 (future)
>>>> "4. The CA obtains evidence that the Certificate was
>>>> misused, as defined by Section 1.4.1 and 1.4.2 of the
>>>> CA's CP/CPS;"
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4025 bytes
Desc: Firma crittografica S/MIME
More information about the Public