[cabfpub] Misissuance of certificates

"Barreira Iglesias, Iñigo" i-barreira at izenpe.eus
Mon Nov 2 09:07:06 UTC 2015


Hi,

This is the scope of the WG
Scope: the Working Group shall consider all matters relating to voluntary information sharing among Forum Members relating to possible enhanced risk from identified individuals, entities, identities, locations, domains, IP addresses, and other data to be determined in order to allow Members to determine, in their own judgment, whether to undertake additional authentication or other steps before providing products or services to customers.

As said, it seems that is only for CABF members and not publicly available as Siggy suggests. And don´t know exactly what you can make publicly available without legal validation in terms of data protection law, i.e., giving names of people affected. 


Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.eus 
945067705



ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.


-----Mensaje original-----
De: Dean Coclin [mailto:Dean_Coclin at symantec.com] 
Enviado el: viernes, 30 de octubre de 2015 19:47
Para: Sigbjørn Vik; Barreira Iglesias, Iñigo; public at cabforum.org
Asunto: RE: [cabfpub] Misissuance of certificates

I don't believe the ISWG is doing anything specific to this, Ben?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Sigbjørn Vik
Sent: Friday, October 30, 2015 11:09 AM
To: Barreira Iglesias, Iñigo; public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

Could anyone in the information sharing working group comment if this is a duplicate effort already covered there, or worthy of a separate ballot?


On 29-Oct-15 08:35, "Barreira Iglesias, Iñigo" wrote:
> Hi,
> 
> It seems to me that this request is one of the aspects the "information sharing" working group is trying to achieve, I don´t remember if publicly for the whole world or just for the CABF members.
> 
> 
> Iñigo Barreira
> Responsable del Área técnica
> i-barreira at izenpe.eus
> 945067705
> 
> 
> 
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
> 
> -----Mensaje original-----
> De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
> En nombre de Sigbjørn Vik Enviado el: miércoles, 28 de octubre de 2015 
> 16:41
> Para: public at cabforum.org
> Asunto: [cabfpub] Misissuance of certificates
> 
> It occasionally happens that a CA misissues a certificate. To improve the certificate ecosystem, we would like information about such incidents to be publicly available. This will allow CAs to learn from other's mistakes, increase transparency, and allow users and vendors to take appropriate countermeasures and determine the trustworthiness of CAs. Over time, this might also indirectly result in fewer misissuances.
> 
> Opera proposes adding text like the following to the BRs.
> 
> 
> In the event that a CA issues a certificate in violation of these requirements, the CA SHALL publicly disclose a report within one week of becoming aware of the violation. public at cabforum.org SHALL be informed about the report, and it SHALL include details about what caused the issuance, time of issuance and discovery, as well as the full public certificate. The report SHALL be made available to the CAs Qualified Auditor for the next Audit Report.
> 
> 
> A CA might still prefer to fix their issues silently, without letting the public know that it had misissued certificates. This amendment does not fix that issue directly. If such misissuance were discovered later, either through CT, through the auditor, or otherwise, the CA would be forced to issue full information. This would still be beneficial in itself, and it would incentivize CAs to avoid misissuance, and be open about it should it happen.
> 
> --
> Sigbjørn Vik
> Opera Software
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 


--
Sigbjørn Vik
Opera Software
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6894 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151102/de1ae75b/attachment.p7s>


More information about the Public mailing list