“Guard Rails” is a convenient name for a series of programmatic checks we are putting in place to confirm certificate orders for compliance with specific requirements before issuance can occur. Guard Rails are like Certificate Lints, except that they may
be stricter than what CA/B Forum and root program policies require. By defining and adding these checks, we can eliminate potential sources of misissuance and achieve higher overall issuance quality. This initiative is borne in part from the understanding
that human-based processes are fundamentally error prone, and to the degree we can implement defined machine processes, our error rate will go down.
We
took steps (comment #1) to avoid this bug being seen as an "incident" bug:
Since this bug is intended to be a repository for information and discussion rather than a response to any particular CA Compliance incident, I'm immediately marking it as RESOLVED INCOMPLETE and deliberately not putting [ca-compliance] in the Whiteboard
field. We chose to deviate from the "<CA Name>: <Incident Summary>" bug title format for the same reason.
However, at some point since then somebody decided to add the "[ca-compliance]" whiteboard tag, which seems problematic to us.
In order to clearly identify this type of information sharing "bug", and even to encourage other CAs to consider doing likewise, we would like to propose a new whiteboard tag:
[ca-infosharing]
--
Rob Stradling
Distinguished Engineer
Sectigo Limited