On Wed, Oct 21, 2020 at 2:09 PM Matthias van de Meent via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Hi, > > In the CPS v1.4.3 of NAVER, section 4.9.3, I found the following: > > > 4.9.3 Procedure for Revocation Request > > The NAVER BUSINESS PLATFORM processes a revocation request as follows: > > [...] > > 4. For requests from third parties, The NAVER BUSINESS PLATFORM > personnel begin investigating the request within 24 hours after receipt and > decide whether revocation is appropriate based on the following criteria: > > a. [...], b. [...], c. [...], d. [...] > > e. Relevant legislation. > > The wording here is concerning, as it points to potential legislation > that could disallow NAVER from revoking problematic certificates. Also > of note is that this 'relevant legislation' is not referenced in > section 9.14, Governing Law, nor in 9.16.3, Severability (as required > per BRs 9.16.3). > If I understand your concern, you're concerned about a decision to /not/ revoke a given certificate, correct? You're indeed accurate that a certificate that violated the BRs, but was not revoked according to relevant legislation, would be a BR violation and the CA would have been required to previously disclose this according to 9.16.3. However, CAs are also free to *add* reasons for revocation, and to consider part of their investigation. relevant legislation which might lead to revocation even if it wasn't a violation of NAVER's CP/CPS. This is totally fine, and all CAs are entitled to add additional requirements, and for relying parties/root programs to consider those reasons relevant to their user communities. Note that, in this case, the particular language you're concerned about is part of the BRs themselves, in 4.9.5. However, this is about "when" to revoke. I think you raise an interesting point that would benefit from clarification from NAVER, because I think you're correct that we should be concerned that the shift from "when" to revoke has become "whether" to revoke, and that is an important difference. > I also noticed that the "All verification activities" type of event is > not recorded, or at least not documented as such. This is a > requirement from BRs 5.4.1(2)(2). > Thanks for the excellent attention to detail! I agree, this would be concerning, especially given the importance this log has been in investigating CA misissuance in the past. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy