Dear Members,
While monitoring a specific recent bugzilla incident, I realized that it
is very easy to unintentionally misinterpret some parts within the Forum
Guidelines that can lead to compliance problems. I think it is our
obligation as a Forum to monitor compliance issues reported by CAs or
independent researchers and in case of repeated incidents, suggest
clarification language in the Forum's Guidelines. Nobody wants more
incidents, but a repeated pattern doesn't necessarily mean negligence on
the CA's part. It could very well be that the Guidelines are not well
written in some areas.
In that regard, I would strongly encourage our Certificate Consumer
Members, that continuously review and monitor incidents, to search for
common patterns and try to locate the language in the Forum Guidelines
that might be somewhat unclear, and work on improving those parts. Even
if the language seems "clear enough", for cases that have caused
multiple incidents by multiple CAs, it might be worth to add NOTES or
NOTICES to highlight non-acceptable practices that have been
misunderstood my multiple CAs.
The Delegated Third Party concept is understandably very open and not
very well defined. I recommend all WGs to try and clarify how DTPs could
be used in the certificate lifecycle process, including
Domain/Identity/Email Validation but also in the supporting
infrastructure services like compute, storage, network, backup, WHOIS,
DNS, Email, regular post, SMS, and more. Perhaps this is a task for the
Network Security Working Group but some elements are specific to other WGs.
My recommendation to all WGs is that when we see repeated patterns of
practices that, by consensus, are not acceptable and do not meet the
spirit and language of the Guidelines, try to highlight them in a type
of "practices clarification" ballot series.
Best wishes for a Happy New Year to all!
Dimitris.
CA/B Forum Chair
_______________________________________________
Public mailing list
Public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/public
