[cabfpub] Require commonName in Root and Intermediate Certificates ballot draft (2)

Dimitris Zacharopoulos jimmy at it.auth.gr
Mon Apr 17 16:43:53 UTC 2017 

I remember this being discussed at the Bilbao meeting and it was also in 
the published minutes 
<https://cabforum.org/2016/02/17/2016-02-17-minutes-of-f2f-meeting-37/#Compliance-Assessment-Coordination-with-auditors-and-browsers>. 
It was a very interesting discussion and the minutes describe the 
conversation well.

Perhaps this is not the case with every auditor but there might be 
auditors out there that actually try to verify adherence to section 2.2 
that CAs must be compliant with the latest version of the BRs. So, I 
think adding reasonable effective dates, solves this problem.


Dimitris.


On 17/4/2017 6:24 μμ, Ryan Sleevi wrote:
>
>
> On Mon, Apr 17, 2017 at 11:16 AM, Dimitris Zacharopoulos via Public 
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
>     When a CA is being audited for a period-in-time (say June 2016 -
>     June 2017), they are usually audited against an audit criteria
>     (Webtrust or ETSI) that incorporate a certain version of the BRs,
>     usually not the latest. If they are audited with the latest
>     version of the BRs that don't take into consideration a transition
>     phase for some cases like the timestamping issuance or the
>     Intermediate CA Certificate without a CN, it might lead to problems.
>
>     For example, if a CA issued an Intermediate CA Certificate in
>     August 2016 without a CN, and the BRs were updated in May 2017,
>     when the auditor comes in at the end of the audit period in June
>     2017 and checks everything against the latest BRs, they will
>     consider the Intermediate CA issued in August 2016 as being
>     mis-issued. Of course the CA can explain to the auditors that the
>     BRs changed in May 2017 and enter a discussion with them but why
>     shouldn't we try to avoid this?
>
>
> The Scottsdale F2F identified this is not the case for WebTrust 
> audits. Do you believe it to be the case for ETSI?
>
> In both cases, the governing section is Section 2.2 of the BRs. I'm 
> unaware of any auditor who has done what you have said, and we've 
> explicitly heard statements that contradict your summary, so it would 
> be useful if you can share any data, either with the Forum or to the 
> Browser members. In the absence of that evidence, I don't believe 
> you've summarized correctly.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170417/34f2eeba/attachment-0003.html>

More information about the Public mailing list