[cabfpub] FW: [cabfquest] Key Size Exception

Ryan Sleevi sleevi at google.com
Wed Mar 6 22:23:07 UTC 2013 

On Wed, Mar 6, 2013 at 2:18 PM, kirk_hall at trendmicro.com <
kirk_hall at trendmicro.com> wrote:

>  Well, if our collective attitude is “No exceptions to the BRs, ever”
> but then we say “But the browsers can grant exceptions if they want”,
> aren’t we being inconsistent?****
>
> ** **
>
> For my part, I would prefer clear, narrow, time-limited criteria listed in
> the BRs defining when to grant exceptions in common situations involving
> legacy systems (and how to move the customer to compliance with the rules
> in the shortest time possible), where the CA must document that the case
> falls within the criteria, warn the customer of the dangers (if
> appropriate), and be audited by its auditor to determine compliance with
> the BR criteria for granting an exception.  That means all cases for all
> CAs will be subject to the same clear and limited criteria for exceptions.
> ****
>
> ** **
>
> To me, that’s superior to an ad hoc and potentially inconsistent process
> of asking for – and receiving – exceptions one by one from a pool of
> browsers….
>

Kirk,

I think regardless of what this Forum decides, Browsers/Root Stores will
continue to operate their programs independently. Granting exceptions
through language in the BR certainly can provide a framework, but if no
root store respects or accepts that framework, it serves no end. Likewise,
this Forum may decide NOT to include particular language in the BRs, but
Browsers/Root Stores that are committed to moving the security standard
higher may decide to independently impose such restrictions, for the
protection and safety of their users.

I don't think you're going to find the Forum as a means to circumvent the
independence or discretion of the root store programs, that's why I don't
think it's particularly meaningful to discuss exceptions in the context of
the Forum - it's ultimately as its always been, in the hands of the root
stores. Including the language in the BR just makes it easier to audit - a
valuable task - but doesn't make it any more or less acceptable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130306/4acd5f1d/attachment-0003.html>

More information about the Public mailing list