<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Wait, what? How is it arguable that the wildcard is in the left
most position in this: lab-rct-*.us.kworld.kpmg.com?<br>
Or any of the other certificates indicated in my original email on
this?<br>
<br>
<div class="moz-cite-prefix">On 4/21/2016 4:38 PM, Stephen Davidson
wrote:<br>
</div>
<blockquote
cite="mid:CAA5A5DD4103604CBCF5A9DFEA0E75D1B76F4F44@qvgoex01.qvglobal.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">And
it is arguable that the wildcard is in fact “in the
left-most position” … Hence the ballot clarifying that the
sole wildcard must constitute the entirety of the left-most
label.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Jeremy
Rowley<br>
<b>Sent:</b> Thursday, April 21, 2016 2:55 PM<br>
<b>To:</b> Rich Smith <a class="moz-txt-link-rfc2396E" href="mailto:richard.smith@comodo.com"><richard.smith@comodo.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Proposed new ballot on IP
Addresses in SANs<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">We don't issue these certs, but the
section cited does not sat you can't issue them. That is
only a definition of a wildcard cert.<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
Rich Smith <<a moz-do-not-send="true"
href="mailto:richard.smith@comodo.com">richard.smith@comodo.com</a>>
wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">I share
Ryan's concerns. I find it deeply troubling that a member
of this Forum, whose representative is the current Forum
Chair, and which had no small part in drafting the BRs and
seeing them through to adoption is willfully issuing
certificates in direct contravention of the Requirements.
None of us is perfect, but as head of validation for Comodo
I make every effort to ensure that certificates issued by
Comodo are fully compliant with the BRs and EV Guidelines,
business expediency notwithstanding.<br>
<br>
In checking through certlint to try to find certificates
issued with improperly formatted IP addresses, in order that
I might better understand this issue, imagine my surprise to
find several wildcard certificates, also issued by Symantec,
and also in direct contravention of the BRs:<br>
<br>
lab-rct-*.us.kworld.kpmg.com<br>
lab-rct-*.us.kpmg.com<br>
rct-*.us.kpmg.com<br>
<br>
See: <a moz-do-not-send="true"
href="https://crt.sh/?cablint=65&iCAID=1449&opt=cablint">https://crt.sh/?cablint=65&iCAID=1449&opt=cablint</a><br>
<br>
The BRs state, in definitions section:<br>
<br>
<b>Wildcard Certificate:</b> A Certificate containing an
asterisk (*) in the <b>left-most position</b> <i>[emphasis
mine] </i>of any of the Subject Fully-Qualified Domain
Names contained in the Certificate.<br>
<br>
Regards,<br>
Rich Smith<br>
Validation Manager<br>
Comodo<o:p></o:p></p>
<div>
<p class="MsoNormal">On 4/21/2016 8:23 AM, Ryan Sleevi
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Apr 21, 2016 at 6:13 AM,
Jody Cloutier <<a moz-do-not-send="true"
href="mailto:jodycl@microsoft.com" target="_blank">jodycl@microsoft.com</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-family:"Calibri",sans-serif;color:black">Ryan, I'm
not sure I understand why Google is so
intent on this new course of public shaming
on this matter and others currently under
discussion, but if it helps to do the right
thing, then fine. The fact is that the
requirement was not addressed, and we need
to figure out how to fix the issue for all
of our customers. Microsoft has addressed
this in Windows 10, but we are not currently
planning on back-porting this change to
previous operating systems. As such, this
change is needed or all of our customers
will be affected. <o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Jody,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Symantec has 8 months to
investigate a solution that doesn't require
violating the BRs nor require violating RFC 5280.
They've admitted, by Rick, that they've instead
chosen to continue to violate the BRs, and are
looking to change the BRs to retroactively make
this behaviour acceptable. That is unquestionably
deserving of censure, on its own merits,
regardless of the option.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Had Symantec shown that the
solution provided to them - which would have
functioned properly for all Microsoft users - was
not in fact viable, in a timely fashion, and for
reasons they could explain, that's certainly
worthy of consideration. But that's clearly not
the case here, and that's unacceptable behaviour
for a publicly trusted CA.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The burden of demonstrating why
the proposed solution doesn't work should exist
with Symantec: They're the only one that can speak
to their customers needs, they're the only ones
who can investigate the technical viability (as a
publicly trusted CA), and they're the only ones
who can speak as to why such a solution may not be
possible. If the reasons are "because we don't
want to", that should seriously inform the
response to a ballot, but if there are reasons
such as "This doesn't work for reason X", then
that could be a meaningfully compelling reason.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">However, the idea that a Forum
member would actively, intentionally, and
knowingly violate the BRs in order that they may
continue to sell certificates to customers,
participating in defining standards that their
competitors are obligated to follow but which they
themselves do not intend to, and potentially
profiting off the customers for which their
competitors are obligated to refuse but for which
they will clearly accept (in contravention of the
BRs), speaks seriously to acting in bad faith and
in an anti-competitive manner. And that's deeply
troubling.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">To be clear: The censure is for
the behaviour, not for the proposal. Given that
this proposal was raised in the past, addressed in
the past, and in the 8 months sense, either no
good-faith effort was put forward OR no good-faith
effort is communicated, is a serious and egregious
breach of public trust, and thus deserving of
strong and direct response, because if that
pattern is practiced and encouraged, it undermines
and eliminates any value in the Forum itself.<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
<br>
</body>
</html>