[cabfpub] What is 'misuse'?
richard.smith at comodo.com
Mon Jul 17 12:48:44 MST 2017
First of all, thank you for taking the time to post a reply. I did the Mozilla discussion when it was happening, and I've reviewed it again. I may be missing something, but the gist of it seems to be that misuse is pretty much whatever the particular CA in question decides it is, and Mozilla seems to have punted by changing the wording to eliminate the word 'misuse' from their policy. Not particularly helpful unless "whatever the CA decides it is," is in fact the accepted definition, which does seem to be the end result of Mozilla's wording as well. It's not particularly useful, as a matter of clarity of the BRs, to need to refer to some discussion that took place eons ago on another forum which only affects one browser's program, not the BRs themselves. And while I don't doubt your recollection that the discussion around Ballot 161 may have touched upon the confusion around 'misuse' the ballot itself did not address it in any way.
It seems that our options are:
1) Accept the de facto definition of misuse = whatever the particular CA decides it means
If that's the case then it seems pointless to have it in the BRs at all and we should draft a ballot to remove it, OR;
2) Come up with or find where a normative definition has been supplied and let's put a ballot through to add that to the BRs.
Frankly I'm open to either option because as the case stands now I'm not sure how I, or anyone else, could possibly determine whether or not I'm in compliance with the requirement to revoke a certificate for 'misuse'. The fact that you pointed me to an outside discussion and a failed ballot, rather than some clarifying language w/in the BRs that I may have missed, leads me to believe that you would agree.
From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Monday, July 17, 2017 11:06 AM
To: Rich Smith <richard.smith at comodo.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] What is 'misuse'?
There have been several attempts relating to definitions of both 'misissue' and 'misuse'
Mozilla attempted to refine its definition in Mozilla Policy 2.4 after substantial discussion as https://groups.google.com/d/msg/mozilla.dev.security.policy/UHRdmKNVAOg/Sqtj-YLdCAAJ
Opera attempted a ballot to require CAs disclose when they perform incorrect issuance - https://cabforum.org/2016/02/12/ballot-161/ - which similarly touched on a substantial discussion of these two words.
On Mon, Jul 17, 2017 at 11:49 AM, Rich Smith via Public <public at cabforum.org> wrote:
> The BRs use the term misuse/misused in multiple places in regards to
> reasons for revocation, and Subscriber representations, but do not define the term.
> What constitutes misuse of a certificate? Phishing? Fraud? Or is it
> only compromise of the private key or other action that results in
> someone who is not authorized being allowed use of the certificate?
> Or is it something else?
> Because it is undefined interpretations are all over the map. IMO the
> definition needs to be pinned down and codified in the Definitions
> section of the BRs.
> Rich Smith
> Senior Compliance Manager
> Public mailing list
> Public at cabforum.org
More information about the Public