I agree with the goal of getting this information out there, and using the CAB Forum this way seems in scope. Per the bylaws: “Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.” (Section 1)
However, I’m struggling to see why the CAB Forum would want to collect this info as a requirement rather than allowing CAs to submit the information voluntarily when there are questions. Usually, we require the location of the disclosure be set in the CPS/CP, not as an email to the CAB Forum. Shouldn’t we follow that format here? From: Ryan Sleevi [mailto:sle...@google.com] Sent: Wednesday, September 13, 2017 12:28 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: CA/Browser Forum Public Discussion List <public@cabforum.org> Subject: Re: [cabfpub] Ballot 213 - Revocation Timeline Extension On Wed, Sep 13, 2017 at 2:14 PM, Jeremy Rowley <jeremy.row...@digicert.com <mailto:jeremy.row...@digicert.com> > wrote: If we’re trying to require transparency, I’d rather see a requirement to publish all certificate problem reports within 24 hours, regardless of resolution. First, this accomplishes the goal in a more straight-forward manner. Second, publication separates the transparency goal from the resolution timeline frames. 24 hours to publish 24-7 days to investigate/fix 24-7 days to revoke The other question is where should these be published. The CAB Forum questions list seems like the wrong place. The CAB Forum isn’t the mis-issuance police (the browsers are). The questions list in particular is intended for third party questions about the CAB Forum requirements. The Mozilla dev list is a better place to publish. If that’s the case, wouldn’t a publication of certificate problem reports be better presented as a Mozilla root store requirement? I think that's conflating publication with response, and I think it presupposes that response only originates from the root program side. Note I didn't suggest the goal of transparency was to facilitate the misissuance police - it was to promote information sharing and disclosure to allow improved policies, practices, and guidelines. And that very much seems a CA/B Forum activity. Whether or not there is (separately) a conversation about misissuance does seem like something for policy enforcement and not necessarily the remit of the CA/B Forum.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
