On Friday, May 20, 2016 at 5:29:43 PM UTC-7, Peter Bowen wrote: > [ Disclaimer: This message is my personal view and does not > necessarily represent that of my employer. ] > > On Fri, May 20, 2016 at 3:19 PM, wrote: > > On Friday, May 20, 2016 at 12:22:07 PM UTC-7, Peter Bowen wrote: > >> > >> When it comes to public certificates, which is what the Mozilla CA > >> program covers and are the subject of the BRs and EV Guidelines > >> (EVGs), there is assurance that certificates do the the following: > >> > >> Provide global identification by certifying: > >> 1) A binding between the identity of a natural person or institution > >> and a cryptographic key > >> 2) Confirmation that the identified named entity authorized issuance > >> of the certificate > >> Alternatively they explicitly may not provide identity. > >> > >> Provide assurance that the subscriber either had control of the hosts, > >> control of the domain namespace, or was a contact for the domain > >> namespace for all DNS names or the equivalent for all alternative > >> names in the certificate at the time the certificate was issued. In > >> some cases, such as an electronic identity certificate, there may be > >> no alternative name. > >> > >> This is all that they do. Now some CAs may choose to make further > >> assurances, for example they may assert that the person named in the > >> certificate is a citizen of a certain country or assert that the > >> company is a member of an organization or has been licensed for > >> certain activities However this is outside the scope of the BRs and > >> EVGs. > > > > Now you have really stumped me, Peter. Are you saying the BR provisions of > > 4.2.1 through 4.9.10 quoted by Kathleen in her first message above are > > optional? I don't think that's correct. > > > > I was not proposing that CAs go beyond what is spelled out in the BRs as to > > revocation (and blocking new cert issuance), although they can if they want > > to. I was only responding to Kathleen's questions about what the quoted BR > > provisions mean -- and to me, they are mandatory, not optional. I know we > > and other CAs have been following these rules for some years. > > The only places where the BRs uses the word "malware" are: > Section 5, about protecting the CA's own system from malware and > 9.6.3 (8) which says CA must confirm that the Subscriber has > acknowledged the CA is "entitled" to revoke a certificate immediately > if the Certificate is used to enable the distribution of malware. > > If you compare this to the recent Microsoft program requirement, you > will see there is no requirement that a CA do so, rather the > subscriber has simply acknowledged they are entitled to do so. > > Kathleen has pointed out that terms like "misuse" is undefined and > suggested that the CA/Browser Forum update the BRs to define this > term. If you feel strongly that publicly trusted certificates should > certify more than identity, I would suggest you propose a ballot to > update the BRs state such. > > Thanks, > Peter
Peter -- the reference to BR 9.6.8(8) is interesting, but is not really relevant to discussion of the requirements of BR 4.2.1 through 4.9.10 quoted by Kathleen in her first message above (and which are enforced by Section 5 of the Baseline Requirments WebTrust audit - see http://www.webtrust.org/homepage-documents/item76002.pdf) What about those sections? Look again at the first analysis I posted. I don't understand the resistance to complying with these provisions -- it's not that hard. If you think the requirements of BR 4.2.1 through 4.9.10 should be softened or deleted, then I suggest you are the one who needs to propose a ballot! CAs have been following these rules for about eight years now, so there is a pretty solid history and precedence. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
