[cabfpub] On the use of misuse - and the necessity to remove it

Adriano Santoni adriano.santoni at staff.aruba.it
Fri Jun 8 13:56:46 UTC 2018 

Yes, that's what I also had in mind.


Il 08/06/2018 15:28, Ryan Sleevi ha scritto:
> Certainly not trying to fight :) I'm assuming I'm missing something, 
> so just trying to make sure I understand the concerns to see how best 
> to address them.
>
> How I'm thinking a CA "would" do this, in a way that makes it clear to 
> relying parties, is that 1.4.1 / 1.4.2 would dictate the 
> acceptable/unacceptable uses, 4.9.1.1 would (in order to maintain 
> consistency with the BRs) specifically enumerate each and every one of 
> the items in the BRs, verbatim.
>
> Then, a CA could add additional reasons for revocation (e.g. 4.9.1.1 
> (16) "The owner of the CA wakes up on the wrong side of the bed that 
> morning"), while the method that the BRs require that they MUST have - 
> that is, 4.9.1.1 (4), would consistently refer to the definitions in 
> 1.4.1 / 1.4.2 for all CAs.
>
> I think we're actually in quite good agreement that CAs should be able 
> to dictate why they revoke, along with expecting subscribers be 
> prepared for that, but similarly, we want to make sure that CAs 
> enumerate all 14 methods listed in the BRs 4.9.1.1, and to be able to 
> do that for 4.9.1.1 (4), we need to define what that means consistently :)
>
> On Fri, Jun 8, 2018 at 9:24 AM, Adriano Santoni 
> <adriano.santoni at staff.aruba.it 
> <mailto:adriano.santoni at staff.aruba.it>> wrote:
>
>     Well, §4.9 of the CPS is about certificate revocation, and here we
>     are discussing about whether and when a CA reserves the right to
>     revoke a "misused" certificate, whatever "misused" means (to a
>     particular CA). So it seems to me that §4.9 - and particularly
>     §4.9.1 (circumstances for revocation) - can be a suitable location
>     in the CPS where to define "misuse". But I appreciate that §1.4 is
>     also an appropriate place. At any rate, I am not going to fight
>     over this.
>
>
>     Il 08/06/2018 14:51, Ryan Sleevi ha scritto:
>>     I'm not sure - can you explain why you think putting it in 4.9
>>     would be consistent with 3647?
>>
>>     I think the goal is to have a consistent place that all
>>     Subscribers and Relying Parties can expect things. 3647 provides
>>     for that in Section 1.4. I'm not sure why we'd want to permit
>>     and/or - that seems like it creates more work for everyone?
>>
>>     On Fri, Jun 8, 2018 at 8:07 AM, Adriano Santoni
>>     <adriano.santoni at staff.aruba.it
>>     <mailto:adriano.santoni at staff.aruba.it>> wrote:
>>
>>         More explicitly, with reference to RFC 3647, I'd suggest that
>>         a description of what the CA means by "misuse" (or an
>>         equivalent term or expression) should be found in §1.4 and/or
>>         §4.9 of the CA's CPS.
>>
>>
>>         Il 08/06/2018 13:52, Ryan Sleevi ha scritto:
>>>         Could you expand a bit more?
>>>
>>>         One of the concerns raised by multiple browsers, but
>>>         particularly articulated by Wayne, was that CAs are
>>>         documenting things all over, and so it's difficult for
>>>         consumers to know where it will be documented. Do you
>>>         currently document it, and in a different section?
>>>
>>>         It was an explicit goal of Ballot 217 to ensure that CAs are
>>>         following the 3647 format, and as Moudrick highlighted,
>>>         that's already got a dedicated section for that purpose. If
>>>         you did want to place information in additional places,
>>>         that's certainly possible - but it means your example 1.4.2
>>>         would say something like
>>>
>>>         "Certificates issued under this policy shall not be used
>>>         for hazardous environments requiring fail-safe controls,
>>>         including without limitation, the design, construction,
>>>         maintenance or operation of nuclear facilities, aircraft
>>>         navigation or communication systems, air traffic control,
>>>         and life support or weapons systems. Further, certificates
>>>         issued under this policy may not be used for the purposes
>>>         defined in Appendix A"
>>>
>>>         Does that sound... reasonable?
>>>
>>>
>>>         On Fri, Jun 8, 2018 at 7:37 AM, Adriano Santoni
>>>         <adriano.santoni at staff.aruba.it
>>>         <mailto:adriano.santoni at staff.aruba.it>> wrote:
>>>
>>>             I'd prefer not to restrict the sections of the CA's
>>>             CP/CPS where the definition of "misuse" (or "misused")
>>>             is to be found:
>>>
>>>             4.9.1.1 (future)
>>>             "4. The CA obtains evidence that the Certificate was
>>>             misused, as defined by the CA's CP/CPS;"
>>>
>>>
>>>
>>>             Il 08/06/2018 12:54, Ryan Sleevi ha scritto:
>>>>             4.9.1.1 (future)
>>>>             "4. The CA obtains evidence that the Certificate was
>>>>             misused, as defined by Section 1.4.1 and 1.4.2 of the
>>>>             CA's CP/CPS;"
>>>
>>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180608/51e40bba/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4025 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180608/51e40bba/attachment-0003.p7s>

More information about the Public mailing list