[cabfpub] Misissuance of certificates

Eric Mill eric at konklone.com
Thu Jan 14 03:24:13 UTC 2016 

On Wed, Jan 13, 2016 at 6:14 AM, Eneli Kirme <Eneli.Kirme at sk.ee> wrote:

>
> There’s also been discussion that malformed certificates are in scope. The
> problem with these is that not all technical errors have an impact on
> security and some of them can go unnoticed for quite some time and involve
> large amounts of certificates.
>

Not all malformations of x.509 certificates are violations of the BRs.

If a CA is systematically issuing large tranches of certificates in
violation of the BRs, that points to a significant potential security gap
in the CA's code and/or audits, regardless of whether the particular
discovered technical error poses an immediate security threat to users at
that moment.


> Putting all of them onto the Internet without unified means for automated
> querying would lower the value of such reporting.
>

I don't think that's true. Bulk data for expert users to sort out, and to
potentially design their own search interface for themselves or the public
to use, is of high value.

-- Eric



> > On 05 Jan 2016, at 17:19, Sigbjørn Vik <sigbjorn at opera.com> wrote:
> >
> > How about the following:
> >
> > public at cabforum.org SHALL be informed about the report. If the CA cannot
> > post directly, it SHALL inform questions at cabforum.org, and the CA/B
> > Forum chair SHALL forward to the list.
> >
> > On 05-Jan-16 16:10, Dean Coclin wrote:
> >> Commenting on this part:
> >>
> >> "public at cabforum.org  SHALL be informed about the report, if the CA
> cannot
> >> post directly, it SHALL inform the CA/B Forum chair who SHALL inform the
> >> list."
> >>
> >> If a CA is not a member of the forum, they won't have public list
> posting
> >> privileges and may not know the email address of the Chair/Vice Chair
> (they
> >> are not posted on our website). Hence I would suggest they email the
> >> "questions" list
> >>
> >> Dean
> >>
> >> -----Original Message-----
> >> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On
> >> Behalf Of Sigbjørn Vik
> >> Sent: Friday, December 18, 2015 9:08 AM
> >> To: public at cabforum.org
> >> Subject: Re: [cabfpub] Misissuance of certificates
> >>
> >> Hi,
> >>
> >> The discussion on this topic seems to have died down, I hope that means
> we
> >> can proceed to a ballot. Anyone willing to endorse?
> >>
> >> The suggested exception for constrained intermediates did not seem to
> solve
> >> the problem it was intended to solve, and nobody spoke up for it, so I
> have
> >> removed it. The text would then be:
> >>
> >>
> >> 2.2.1 Information of incorrect issuance
> >>
> >> In the event that a CA issues a certificate in violation of these
> >> requirements, the CA SHALL publicly disclose a report within one week of
> >> becoming aware of the violation.
> >>
> >> public at cabforum.org SHALL be informed about the report, if the CA
> cannot
> >> post directly, it SHALL inform the CA/B Forum chair who SHALL inform the
> >> list.
> >>
> >> The report SHALL publicize details about what the error was, what
> caused the
> >> error, time of issuance and discovery, and public certificates for all
> >> issuer certificates in the trust chain.
> >>
> >> The report SHALL publicize the full public certificate, with the
> following
> >> exception: For certificates issued prior to 01-Mar-16 the report MAY
> leave
> >> out Subject Distinguished Name fields and subjectAltName extension
> values.
> >>
> >> The report SHALL be made available to the CAs Qualified Auditor for the
> next
> >> Audit Report.
> >>
> >> --
> >> Sigbjørn Vik
> >> Opera Software
> >> _______________________________________________
> >> Public mailing list
> >> Public at cabforum.org
> >> https://cabforum.org/mailman/listinfo/public
> >>
> >
> >
> > --
> > Sigbjørn Vik
> > Opera Software
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160113/6e0ac9d9/attachment-0003.html>

More information about the Public mailing list