Hi, Please see NBP’s response to Matthias and Ryan’s comments. 2020년 10월 22일 목요일 오전 3시 29분 40초 UTC+9에 Ryan Sleevi님이 작성한 내용: > On Wed, Oct 21, 2020 at 2:09 PM Matthias van de Meent via > dev-security-policy <dev-secur...@lists.mozilla.org> wrote: > > > Hi, > > > > In the CPS v1.4.3 of NAVER, section 4.9.3, I found the following: > > > > > 4.9.3 Procedure for Revocation Request > > > The NAVER BUSINESS PLATFORM processes a revocation request as follows: > > > [...] > > > 4. For requests from third parties, The NAVER BUSINESS PLATFORM > > personnel begin investigating the request within 24 hours after receipt and > > decide whether revocation is appropriate based on the following criteria: > > > a. [...], b. [...], c. [...], d. [...] > > > e. Relevant legislation. > > > > The wording here is concerning, as it points to potential legislation > > that could disallow NAVER from revoking problematic certificates. Also > > of note is that this 'relevant legislation' is not referenced in > > section 9.14, Governing Law, nor in 9.16.3, Severability (as required > > per BRs 9.16.3). > > > If I understand your concern, you're concerned about a decision to /not/ > revoke a given certificate, correct? You're indeed accurate that a > certificate that violated the BRs, but was not revoked according to > relevant legislation, would be a BR violation and the CA would have been > required to previously disclose this according to 9.16.3. > > However, CAs are also free to *add* reasons for revocation, and to consider > part of their investigation. relevant legislation which might lead to > revocation even if it wasn't a violation of NAVER's CP/CPS. This is totally > fine, and all CAs are entitled to add additional requirements, and for > relying parties/root programs to consider those reasons relevant to their > user communities. >
For Ryan’s comment on section 9.14 and 9.16.3 of NBP’s CPS, NBP would have stipulated an issue in section 9.14 and I would have notified it to CA Browser Forum in advance if there had been national laws and regulations which affect certificates revocation in our territory. However, we found that there are no South Korea’s laws and regulations which affect or refuse the revocation of certificates that violated the BRs issued by a commercial CA. A certificate that violated the BRs, but was not revoked according to relevant legislation, has not happened since NBP started providing certificate services. > Note that, in this case, the particular language you're concerned about is > part of the BRs themselves, in 4.9.5. However, this is about "when" to > revoke. > > I think you raise an interesting point that would benefit from > clarification from NAVER, because I think you're correct that we should be > concerned that the shift from "when" to revoke has become "whether" to > revoke, and that is an important difference. I agree on the above Ryan’s comment. NBP will exclude the criteria that CA should consider to select the revocation time in section 4.9.3 and add them in Section 4.9.5. As NBP complies with the laws of the Republic of Korea, the following will be added in section 9.14 of NBP CPS. “This CPS is governed, construed and interpreted in accordance with the laws of Republic of Korea. This choice of law is made to ensure uniform interpretation of this CPS, regardless of the place of residence or place of use of NAVER BUSINESS PLATFORM Certificates or other products and services. The law of Republic of Korea applies also to all NAVER BUSINESS PLATFORM commercial or contractual relationships in which this CPS may apply or quoted implicitly or explicitly in relation to NAVER BUSINESS PLATFORM products and services where NAVER BUSINESS PLATFORM acts as a provider, supplier, beneficiary receiver or otherwise." > > I also noticed that the "All verification activities" type of event is > > not recorded, or at least not documented as such. This is a > > requirement from BRs 5.4.1(2)(2). > > > Thanks for the excellent attention to detail! I agree, this would be > concerning, especially given the importance this log has been in > investigating CA misissuance in the past. Actually, NBP records all verification activities as well as other events stipulated in BRs section 5.4.1. I think that all verification activities is included in NBP CPS, section 5.4.1 Certificate lifecycle-related event. However, as Matthias mentioned, it may not look clearly. I would consider modifying the CPS section according to BRs section if it's necessary to avoid ambiguity. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
