Add definition of "mis-issuance"?

[gerv]

Do we need a formal definition of what we consider mis-issuance? The closest we have is currently a couple of sentence in section 7.3:

A certificate that includes domain names that have not been verified according to section 3.2.2.4 of the Baseline Requirements is considered to be mis-issued. A certificate that is intended to be used only as an end entity certificate but includes a keyUsage extension with values keyCertSign and/or cRLSign or a basicConstraints extension with the cA field set to true is considered to be mis-issued.

This is clearly not an exhaustive list; one would also want to include BR violations, RFC violations, and insufficient EV vetting, at least.

The downside of defining it is that CAs might try and rules-lawyer us in a particular situation.

[cem-]

How about specifically including things that are violations of the Mozilla policy that aren't BR/RFC violations? (e.g. an s/mime cert signed with SHA-1 from a non-serverAuth chain or low entropy SHA-1)
Maybe some high-level statement about disallowing anything that is a violation of 'this document'.

[gerv]

How about this?

"The category of mis-issued certificates includes (but is not limited to) those issued to someone who should not have received them, those containing information which was not properly validated, those having incorrect technical constraints, and those using algorithms other than those permitted."

[cem-]

lgtm

[gerv]

This text would go in section 7.3 ("Removals").

[yuhong]

It is probably a good idea to exempt the https://www.iana.org/domains/reserved domains from the definition.

[gerv]

Why? Those domains are still owned by someone (IANA in this case).