<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle22
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ryan (Sleevi),<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div><div><div><div><div><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>></span><span style='font-size:9.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>So then the argument here is that this is a UI issue, and has been mentioned elsewhere by several browsers, I don't believe<span style='color:#1F497D'><o:p></o:p></span></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> there is present interest in discussing mandatory UI behaviours, which this proposal feels like a direct run-around to. While<span style='color:#1F497D'><o:p></o:p></span></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I'm sure I can speak for all browser vendors when I say that user security is at the forefront of our concerns, I don't believe<span style='color:#1F497D'><o:p></o:p></span></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>this is the best way to spark those discussions by proposing to forbid some forms of DV simply because you disagree with<span style='color:#1F497D'><o:p></o:p></span></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>the UI afforded to DV.</span><span style='font-size:9.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p></o:p></span></p></div></div></div></div></div></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The issue is not so much about the UI, the UI (though I am sure we all agree it could be improved) but about what the binding in the certificate says.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Fundamentally a certificate is a binding of a key to an identity, the presumption of which is that the holder of the key is the named entity. Certificates where there is no discernible binding to the entity that holds the key provide relying parties no way to tell who can see the data in-flight which is in the case of SSL the reason the certificates are used.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This is the problem trying to be addressed here.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Again, and has been repeatedly mentioned, if Mallory, the recipient of such certificates, possesses three certificates - one <span style='color:#1F497D'><o:p></o:p></span></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>for <a href="http://www.bankofamerica.com">www.bankofamerica.com</a>, one for <a href="http://www.bobsbits.com">www.bobsbits.com</a>, and one for both - then she is fully capable of decrypting all traffic.<span style='color:#1F497D'><o:p></o:p></span></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Requiring that Mallory be issued two distinct certificates has no practical or marginal security benefits over issuing Mallory a<span style='color:#1F497D'><o:p></o:p></span></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>single certificate. The only reason to mention that Mallory can see/decrypt all information is to suggest that with two DV<span style='color:#1F497D'><o:p></o:p></span></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>certs she somehow cannot - eg: that there are security benefits - and it has been shown that it does not.</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>True but in this case a relying party knows that this is the case and that is an important difference.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";color:#1F497D'>></span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>If you believe there are situations where Bank of America (or any other organization, big or small) may not be aware that <span style='color:#1F497D'><o:p></o:p></span></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>certificates have been issued for domains under their control, please let the browsers know so that they can respond<span style='color:#1F497D'><o:p></o:p></span></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>appropriately.</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Of  course, this is not the problem trying to be addressed this is about the relying party not the subscriber.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ryan (Hurst)<o:p></o:p></span></p></div></div></div></div></body></html>