The intent of the proposal was to ensure that CAs act fairly by applying objective, stated criteria to decisions (1) to not issue a certificate or (2) to revoke a certificate, but now I think that trying to prevent arbitrary refusals/revocations with policy language might raise more problems than we would be able to solve with any language we could adopt. However, I am still open to suggestions. Do any of these concepts resonate as satisfactory alternatives to "non-discriminatory" to anybody: unbiased, non-arbitrary, objective, impartial, reasoned, justified, rational, or variations thereof? Can something be written that would meet the intent stated above without the need to interpret it repeatedly on a case-by-case basis for CAs in the future? Thanks, Ben
On Tue, Oct 26, 2021 at 8:14 AM Josh Aas <j...@letsencrypt.org> wrote: > I think it would be helpful to have more clarity on what behavior this > proposal is intended to prevent. With examples, if possible. It might > make it easier to understand if anything ought to be done, and if so, > what language would be most appropriate. > > On Tue, Oct 19, 2021 at 4:54 PM Ben Wilson <bwil...@mozilla.com> wrote: > > > > As an initial edit, I am proposing that we add the following language as > a new subsection 6 to MRSP section 2.1 - "[CAs SHALL] provide services on a > non-discriminatory basis to all applicants who meet the requirements and > agree to abide by their obligations as specified in the CA's terms and > conditions". See > https://github.com/BenWilson-Mozilla/pkipolicy/commit/fab61408608feed365a9446ac47560a34c06cf85 > > > > On Thu, Oct 7, 2021 at 6:06 PM Ben Wilson <bwil...@mozilla.com> wrote: > >> > >> All, > >> > >> This email is the first in a series of discussions concerning the next > version of the Mozilla Root Store Policy (MSRP), version 2.8, to be > published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) > >> > >> Issue #129 in GitHub proposes that we add a policy of > non-discrimination to the MRSP. > >> > >> This particular issue arose from discussions of whether CAs should be > allowed to arbitrarily refuse to issue or to revoke certificates. (The > situation involved an EV certificate for Stripe, Inc., of Kentucky, > https://groups.google.com/g/mozilla.dev.security.policy/c/NjMmyA6MxN0/m/asxTGD3dCAAJ). > Many of you argued that CAs should objectively and non-arbitrarily apply > the issuance and revocation standards of the CA/Browser Forum. The full > discussion can be read in the email thread referenced above, so I'll forego > any attempt to recap. > >> > >> Potential policy language can be paraphrased from the suggestion made > in Issue #129, which was to base language on ETSI 319 401--"Practices under > which the CA operates SHALL be non-discriminatory. The CA SHALL make its > services accessible to all applicants who meet the requirements and agree > to abide by their obligations as specified in the CA's terms and > conditions." Alternative wording might be something like, "Decisions not to > issue or to revoke a certificate should be based on the unbiased > application of the CA/Browser Forum's requirements using the objective > criteria stated therein," OR "CAs shall apply the CA/Browser Forum’s > issuance and revocation requirements in a non-arbitrary manner." > >> Is a variation of the language above sufficient? What do you suggest as > language? Should it be inserted somewhere in section 2 of the MRSP? > >> > >> Thoughts? > >> > >> Thanks, > >> > >> Ben > > > > -- > > You received this message because you are subscribed to the Google > Groups "dev-security-policy@mozilla.org" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to dev-security-policy+unsubscr...@mozilla.org. > > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabsOaZP88JXg5qP%2BGjZoAvc0n4_Y2Y%2B63KF94h2OoTDDQ%40mail.gmail.com > . > > > > -- > Josh Aas > Executive Director > Internet Security Research Group > Let's Encrypt: A Free, Automated, and Open CA > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa_8Wk4Gs97udUDom%3DzjcQxH-kKKEV3zFwmW%2BiPTxps9Q%40mail.gmail.com.
