Replace "Applicant" with "Subscriber" in BR 4.9.1.1 (9)

[CBonnell]

BR 4.9.1.1 says:

The CA is made aware of any circumstance indicating that use of a Fully‐Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name) (CRLReason #5, cessationOfOperation);

It was pointed out that "Applicant" should be "Subscriber", as the Certificate has already issued.

[aarongable]

It may be worth updating this sentence to remove some other perceived ambiguities.

• Failing to renew doesn't seem like "no longer legally permitted", it's just a terminated business relationship. Maybe this example should be removed.
• What about when an organization that registered a vanity gTLD with ICANN fails to renew, and the whole gTLD goes away? This is not any of the examples, and it's not clear that it falls under the umbrella of "no longer legally permitted", but it is very similar to the "failed to renew" example given. If the "failed to renew" example were removed, I think this would also be unambiguously not included under this clause, which would be a good thing.

So I would be in favor of removing the last example.

---

There's also the question of: do we want this clause at all?

If a CA receives a direct order to revoke, then of course they should do their due diligence and comply with legal orders from relevant jurisdictions. We don't need language in the BRs saying that, the laws themselves say that.

If a CA doesn't receive a direct order to revoke and is just "made aware that use of the FQDN is no longer legally permitted", but it remains listed in the DNS, then isn't it better to leave any existing certificates in place so that (e.g.) investigative journalists can securely and privately view the still-accessible content?

So it seems to me like this point is not actually necessary at all. CAs will revoke when they receive legal orders to do so, and otherwise should not revoke as long as the domain remains accessible.

[dzacharo]

If a CA receives a direct order to revoke, then of course they should do their due diligence and comply with legal orders from relevant jurisdictions. We don't need language in the BRs saying that, the laws themselves say that.

IMO the CP/CPS should include some notice to RPs, Subscribers and other third parties about things that may happen. Warning about the possibility of revocation due to other legal requirements and providing some illustrative examples, seems useful.

The use of the word "Law" in the BRs is mentioned in a handful of places, and although it repeats the obvious (Laws must be followed), I believe it's ok to serve as a reminder to emphasize this aspect in some areas (e.g. personal data protection, licensing, etc).

and otherwise should not revoke as long as the domain remains accessible

This assumption might be interpreted and treated differently depending on the CA's jurisdiction and local Laws. A Certificate might be ordered to be revoked before the Domain Name is taken down.

From yesterday's Validation Subcommittee call, my understanding was that we should try to rephrase the language to highlight that the list of examples is an illustrative list of cases that might fall under this revocation reason, which would address at least the largest part of the concerns. Did I misunderstand that part?

[aarongable]

A Certificate might be ordered to be revoked before the Domain Name is taken down.

Agreed, which is why I said "...and otherwise (i.e. when not presented with a lawful order) should not revoke...".

we should try to rephrase the language to highlight that the list of examples is an illustrative list of cases that might fall under this revocation reason

Yep, also agreed. I prefer removing the item entirely, but am happy to have it rephrased. I think part of that rephrasing should include removing the last of the examples.

[aarongable]

Concrete proposal: let's remove the second and third examples in the parenthetical. They do not constitute actual examples of "no longer legally permitted".

The resulting text would be:

9. The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant's right to use the Domain Name) (CRLReason # 5, cessationOfOperation);