[Servercert-wg] Ballot SC30: Disclosure of Registration / Incorporating Agency

Ryan Sleevi sleevi at google.com
Wed Jun 17 06:53:53 MST 2020


On Wed, Jun 17, 2020 at 9:36 AM Pedro FUENTES <pfuentes at wisekey.com> wrote:

> Hello,
> I’d have a comment on the proposed wording, but I don’t find the right way
> to post it on GitHub.
>

You can use https://github.com/cabforum/documents/pull/194 to do this (in
the Files tab, you can click + next to any line to leave an in-line
comment, as well as suggest changes)


> Would it be acceptable to allow a certain margin to disclose the agency
> “after x days of issuance”, instead of forcing it to be always “prior”?
>

> My rational is trying to cover the situation where it comes a request from
> a country/region unusual for the CA and it has to use a new agency that
> wasn’t listed yet. This would allow that the CA can issue the certificate
> after choosing the right agency, and it should still commit to disclose the
> sources, but this wouldn’t block the issuance. A reasonable time could be 3
> days, for example.
>

This was discussed in the Validation WG, but unfortunately, this fails to
meet the goal of ensuring transparency and auditability. The intent is,
just like any other validation process, the validation needs to be
completed before you actually issue.

The process is designed to be so incredibly lightweight that post-facto
disclosure should not be necessary, and no different than validating new
documents. If you anticipate significant challenges disclosing, above and
beyond the validation process, it would be useful to explain why.

The danger of such an allowance is, unsurprisingly, that such disclosures
fail to happen. It also makes it indistinguishable from misissuance.
Finally, it doesn't help the overall goal, which is having concrete data
about these scenarios, that can be neutrally, objectively, and
independently assessed, which of course is critical to finding a viable
long-term solution to ensure cross-CA consistency.

So yes, this was discussed, but it also was rejected. It's difficult to see
how such post-facto disclosure would be able to meet these goals. Please
let me know if there was something overlooked, however!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200617/e414a2d8/attachment.html>


More information about the Servercert-wg mailing list