[cabfpub] Question/concern regarding Baseline Requirements auditing/enforcement

[Ryan Sleevi]

[Cross-posted to the Mozilla dev.security.policy mailing list]

Over the course of normal spot checking of certificates, Google has
recently become aware of a number of certificates that have been
recently signed by a CA that appear to violate the Baseline
Requirements and one or more Root Program Member requirements. The
certificates are also inconsistent with the CA's stated CPS.

While the exact nature of the violation does not represent a practice
that would be considered imminently threatening to the overall web
security, we are particularly concerned about the interpretation of
the requirements that lead to this situation, and would like to see
broader community input and guidance on this matter.

The specific certificates are issued by GoDaddy/Starfield
Technologies. The specific issue at hand is the certificate validity
dates. Contrary to the BRs, and to the stated CPS (Section 7.1.4 "End
Entity SSL Certificates", and Section 6.3.2, "Usage periods for the
Public and Private Keys"), the certificates issued have validity
lifetimes exceeding 60 months. An example of such a certificate has
been attached, which demonstrates a 74-month validity period.

When contacted regarding this issue, GoDaddy has indicated that such
certificates were originally purchased while a previous CPS was in
place, and that through both policy and contractual obligations, they
allow customers to rekey certificates at any time during the original
purchase validity.

Our concern is that such an interpretation enables dangerous or
discouraged practices. Further, our view is that any and all
certificates signed after a given date of compliance with the Baseline
Requirements, a Root Program, or an Audit Requirement should be
compliant with the appropriate policies in effect at the time of
signing. Certificate Authorities should be prepared for any necessary
changes to the issuance infrastructure to respond to threats to the
Web PKI, and thus should take care to ensure the ability to comply
with future Root Program requirements or Baseline Requirements that
may be needed to deal with these issues.

We'd like to solicit feedback from the broader community - auditors,
CAs, root program operators, and relying parties - to better
understand if this is a shared concern.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: satveda.pem
Type: application/octet-stream
Size: 11245 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130730/d62ffa35/attachment.obj