Would it help if we define its antonym e.g. "designed for or capable of
a particular function or use"?
Thanks,
M.D.
On 2018-06-07 17:32, Ryan Sleevi via Public wrote:
On Thu, Jun 7, 2018 at 10:24 AM, Geoff Keating <[email protected]>
wrote:
On Jun 7, 2018, at 1:40 PM, Ryan Sleevi via Public
<[email protected]> wrote:
In the pursuit of a definition, we tried to work backwards - what
are situations we think are misuse.
The dictionary definition of ‘misuse’ is:
use (something) in the wrong way or for the wrong purpose
I'm not sure how this helps us move forward - were you suggesting that
4.9.1.1 would read:
4. The CA obtains evidence that the Certificate was used for the wrong
way or for the wrong purpose;
With such a definition, this supposes there's a right way or right
purpose.
1) Do you believe the right purpose is wholly reflecting in the
Subscriber Agreement or Terms of Use?
2) Do you believe the right way is wholly reflected in the definition
I provided (from 1.1), that the right way is "used for authenticating
servers accessible through the Internet"
Another suggestion was that it involved scenarios where the
Subscriber private key was in an HSM, and itself was not
compromised, but had signed things it was not expected to. This
wasn't elaborated on further - so I'm uncertain if this meant things
other than the TLS handshake transcript - but this is already met by
our definition of Key Compromise in 1.6.1, that is:
""A Private Key is said to be compromised if its value has been
disclosed to an
unauthorized person, an unauthorized person has had access
to it, or there exists a
practical technique by which an unauthorized person may
discover its value. “""
If a key is in a HSM and not exportable, then its value is not
disclosed, nor does an unauthorized person have access *to the
key*. Dictionary definition of ‘access’ is 'obtain, examine,
or retrieve’ none of which apply here. So it is not covered by
Key Compromise.
I'm not sure - what are you providing an example of? I would think
that, say, generating a signed message that was not authorized, then
"an unauthorized person has access to it". Perhaps you could help me
understand this misuse - is it that the signature was authorized and
was directed to sign something that they didn't want to do?
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
