[cabfpub] Highlight repeated non-acceptable practices, clarify requirements and discuss about DTPs

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Dec 28 07:09:24 UTC 2023 

Dear Members,

While monitoring a specific recent bugzilla incident, I realized that it 
is very easy to unintentionally misinterpret some parts within the Forum 
Guidelines that can lead to compliance problems. I think it is our 
obligation as a Forum to monitor compliance issues reported by CAs or 
independent researchers and in case of repeated incidents, suggest 
clarification language in the Forum's Guidelines. Nobody wants more 
incidents, but a repeated pattern doesn't necessarily mean negligence on 
the CA's part. It could very well be that the Guidelines are not well 
written in some areas.

In that regard, I would strongly encourage our Certificate Consumer 
Members, that continuously review and monitor incidents, to search for 
common patterns and try to locate the language in the Forum Guidelines 
that might be somewhat unclear, and work on improving those parts. Even 
if the language seems "clear enough", for cases that have caused 
multiple incidents by multiple CAs, it might be worth to add NOTES or 
NOTICES to highlight non-acceptable practices that have been 
misunderstood my multiple CAs.

The Delegated Third Party concept is understandably very open and not 
very well defined. I recommend all WGs to try and clarify how DTPs could 
be used in the certificate lifecycle process, including 
Domain/Identity/Email Validation but also in the supporting 
infrastructure services like compute, storage, network, backup, WHOIS, 
DNS, Email, regular post, SMS, and more. Perhaps this is a task for the 
Network Security Working Group but some elements are specific to other WGs.

My recommendation to all WGs is that when we see repeated patterns of 
practices that, by consensus, are not acceptable and do not meet the 
spirit and language of the Guidelines, try to highlight them in a type 
of "practices clarification" ballot series.

Best wishes for a Happy New Year to all!


Dimitris.
CA/B Forum Chair

More information about the Public mailing list