[cabfpub] What is 'misuse'?
geoffk at apple.com
Mon Jul 17 13:01:16 MST 2017
> On 17 Jul 2017, at 12:48 pm, Rich Smith via Public <public at cabforum.org> wrote:
> First of all, thank you for taking the time to post a reply. I did the Mozilla discussion when it was happening, and I've reviewed it again. I may be missing something, but the gist of it seems to be that misuse is pretty much whatever the particular CA in question decides it is, and Mozilla seems to have punted by changing the wording to eliminate the word 'misuse' from their policy. Not particularly helpful unless "whatever the CA decides it is," is in fact the accepted definition, which does seem to be the end result of Mozilla's wording as well. It's not particularly useful, as a matter of clarity of the BRs, to need to refer to some discussion that took place eons ago on another forum which only affects one browser's program, not the BRs themselves. And while I don't doubt your recollection that the discussion around Ballot 161 may have touched upon the confusion around 'misuse' the ballot itself did not address it in any way.
> It seems that our options are:
> 1) Accept the de facto definition of misuse = whatever the particular CA decides it means
> If that's the case then it seems pointless to have it in the BRs at all and we should draft a ballot to remove it, OR;
One case that I think ‘misuse' does cover is the case where a Key Compromise has not occurred but there have been other circumstances where the key has been accessed. For example, the situation where the key of a subordinate CA is stored in a HSM and has not been exported but it is discovered that an attacker has signed some unknown data with that key.
However this would be clearer if the relevant line said that the private key was misused, not the certificate.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3321 bytes
Desc: not available
More information about the Public