[cabfpub] Naming rules

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Mar 6 06:37:14 UTC 2017 

I disagree.

BR 9.16.3 was intended to let applicable law supersede the BRs (of course), and therefore the WebTrust / ETSI audit standards for the BRs as well, so that a CA that is following applicable law (which we all must do) will NOT receive a qualified audit, so long as the CA calls out the divergence from the BRs due to applicable law – that’s the point of BR 9.16.3.  The resulting audit (so long as it notes this divergence due to local law) should be unqualified, not qualified.  In my opinion, any other interpretation is dead wrong.

Take a look at all of our Terms of Service / User Agreements, etc.  They typically say that in the event of a conflict between local law and the terms of our agreement, local law will prevail (i.e., the agreement will be modified to the minimum extent necessary to comply with local law).  If you don’t believe me, please consult with your own legal departments to confirm.

The same should apply to the BRs and the WebTrust / ETSI BR requirements – they must be reformed (waived, modified) to the extent necessary to comply with local law, so long as the modification is called out to the public.  Anything else is picking a fight with governments for no good reason.

Why don’t we ask the WebTrust / ETSI auditors how they recommend we deal with conflicts between the BRs and applicable law?  They are the experts on audit processes – not the rest of us.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Sunday, March 5, 2017 6:08 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Peter Bowen <pzb at amzn.com>; Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] Naming rules



On Sun, Mar 5, 2017 at 5:18 PM, Kirk Hall via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
+1.  Seems like a good resolution to me - full disclosure to users and browsers, deference to local law where applicable as provided in BR 9.16.3 (local users are probably already used to any local customs on naming rules), and avoids the need for the Forum to try to understand and approve/disapprove local naming rules one by one.  Allows auditors to complete successful audits with disclosure, and the trust list maintainers receive notice and can make their own decisions.

I think it's worth pointing out, again, that deference to local law, as you suggested, only applies in exceptionally limited cases - and on the basis of the provided evidence, does not apply.

I think this is crucial for the Forum's members - and auditors who may be following - to understand and appreciate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170306/f0076b91/attachment-0003.html>

More information about the Public mailing list