<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#44546A;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'>+1 because we agree with Jeremy that the wildcard language does not clearly preclude these types of wildcards. I’ll start a separate thread.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Eric Mill<br><b>Sent:</b> Thursday, April 21, 2016 12:59 PM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Cc:</b> public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Proposed new ballot on IP Addresses in SANs<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:.5in'>I would strongly recommend separating the wildcard discussion into a separate thread, if it's a BR ambiguity or potential misissuance that deserves separate remediation.<o:p></o:p></p><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'>That would help this thread stay on target as a discussion of whether or not Symantec's proposed change is reasonable, rather than a debate about Symantec as a company.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'>-- Eric<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:.5in'>On Thu, Apr 21, 2016 at 3:48 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:.5in'>In the SAN section of the BRs it simply says, "Wildcard FQDNs are permitted." To know WHAT is permitted you MUST look to the definition, and the definition clearly states "...left most position..." Clearly these certificates are non-compliant. And I don't buy for second that that's not understood by anyone who has participated in Forum discussions for any length of time.<br><span style='color:#1F497D'>[JR] Wildcard FQDNs are not defined. Wildcard certs are. Although I do think wildcards characters should be limited to the left most label, what is understood is largely irrelevant. The langue matters and what the BRs say is definitely ambiguous and unclear. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:.5in'>And have we devolved to the point that we're now creating and editing requirements only to then go forth and have a competition to see which CA can out-do the others in finding loopholes in them? Is that what this Forum has become? If so, then what are we doing here? Let's shutter the place and walk away. <br><span style='color:#1F497D'>[JR] Pretty sure that’s the nature of any industry standards body. Plus, I think its incorrect to assume that anyone with a different interpretation of a section is willfully looking for loopholes. Precise language in any standard is important, especially when you consider that non-native English speakers are reviewing the document. In any event, if everyone agreed with interpretation, amending guidelines for language clarity should be a simple task. Clearly Symantec interpreted the requirement differently than Comodo or DigiCert. However, given the language, I can’t agree that the certs are being mis-issued. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:.5in'>The IP address certs that started this discussion aren't even a loophole. They are specifically and clearly non-compliant. Now I'm not a lawyer, but I do view the action of issuing them as anti-competitive. I've had specific cases wherein I couldn't issue EV certificates to labor unions in the U.S. for YEARS because the wording in the EV Guidelines at the time did not allow for them. I came here, I advised the Forum of my plight, and asked for a solution. No one disagreed that they clearly legally existed as an organization, but the solution was caught up in haggling over minutiae for YEARS before a suitable change to the Guidelines was officially adopted. I didn't just go ahead and issue the certificates anyway, I waited for the Forum to arrive at a consensus and fix the problem. And as a participant in good faith here, that's what I expect of other participants.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>[JR] Which is why I’m petitioning to modify the requirements now. We have a definite use case where they are required by a major browser. I’d like to see that accommodated. What happens with the certs issued prior to changing the requirements, as always, is up to the browsers. The CAB Forum has never had an enforcement mechanism. Without the browsers adoption, the guidelines are merely advisory. The EV processing document for example.</span><o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>On 4/21/2016 12:54 PM, Jeremy Rowley wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>We don't issue these certs, but the section cited does not sat you can't issue them. That is only a definition of a wildcard cert.<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:.5in'><br><br>Rich Smith <a href="mailto:richard.smith@comodo.com" target="_blank"><richard.smith@comodo.com></a> wrote:<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:.5in'>I share Ryan's concerns. I find it deeply troubling that a member of this Forum, whose representative is the current Forum Chair, and which had no small part in drafting the BRs and seeing them through to adoption is willfully issuing certificates in direct contravention of the Requirements. None of us is perfect, but as head of validation for Comodo I make every effort to ensure that certificates issued by Comodo are fully compliant with the BRs and EV Guidelines, business expediency notwithstanding.<br><br>In checking through certlint to try to find certificates issued with improperly formatted IP addresses, in order that I might better understand this issue, imagine my surprise to find several wildcard certificates, also issued by Symantec, and also in direct contravention of the BRs:<br><br>lab-rct-*.<a href="http://us.kworld.kpmg.com" target="_blank">us.kworld.kpmg.com</a><br>lab-rct-*.<a href="http://us.kpmg.com" target="_blank">us.kpmg.com</a><br>rct-*.<a href="http://us.kpmg.com" target="_blank">us.kpmg.com</a><br><br>See: <a href="https://crt.sh/?cablint=65&iCAID=1449&opt=cablint" target="_blank">https://crt.sh/?cablint=65&iCAID=1449&opt=cablint</a><br><br>The BRs state, in definitions section:<br><br><b>Wildcard Certificate:</b> A Certificate containing an asterisk (*) in the <b>left-most position</b> <i>[emphasis mine] </i>of any of the Subject Fully-Qualified Domain Names contained in the Certificate.<br><br>Regards,<br>Rich Smith<br>Validation Manager<br>Comodo<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>On 4/21/2016 8:23 AM, Ryan Sleevi wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>On Thu, Apr 21, 2016 at 6:13 AM, Jody Cloutier <<a href="mailto:jodycl@microsoft.com" target="_blank">jodycl@microsoft.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;background:white'><span style='font-family:"Calibri",sans-serif'>Ryan, I'm not sure I understand why Google is so intent on this new course of public shaming on this matter and others currently under discussion, but if it helps to do the right thing, then fine. The fact is that the requirement was not addressed, and we need to figure out how to fix the issue for all of our customers. Microsoft has addressed this in Windows 10, but we are not currently planning on back-porting this change to previous operating systems. As such, this change is needed or all of our customers will be affected. </span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>Jody,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>Symantec has 8 months to investigate a solution that doesn't require violating the BRs nor require violating RFC 5280. They've admitted, by Rick, that they've instead chosen to continue to violate the BRs, and are looking to change the BRs to retroactively make this behaviour acceptable. That is unquestionably deserving of censure, on its own merits, regardless of the option.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>Had Symantec shown that the solution provided to them - which would have functioned properly for all Microsoft users - was not in fact viable, in a timely fashion, and for reasons they could explain, that's certainly worthy of consideration. But that's clearly not the case here, and that's unacceptable behaviour for a publicly trusted CA.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>The burden of demonstrating why the proposed solution doesn't work should exist with Symantec: They're the only one that can speak to their customers needs, they're the only ones who can investigate the technical viability (as a publicly trusted CA), and they're the only ones who can speak as to why such a solution may not be possible. If the reasons are "because we don't want to", that should seriously inform the response to a ballot, but if there are reasons such as "This doesn't work for reason X", then that could be a meaningfully compelling reason.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>However, the idea that a Forum member would actively, intentionally, and knowingly violate the BRs in order that they may continue to sell certificates to customers, participating in defining standards that their competitors are obligated to follow but which they themselves do not intend to, and potentially profiting off the customers for which their competitors are obligated to refuse but for which they will clearly accept (in contravention of the BRs), speaks seriously to acting in bad faith and in an anti-competitive manner. And that's deeply troubling.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>To be clear: The censure is for the behaviour, not for the proposal. Given that this proposal was raised in the past, addressed in the past, and in the 8 months sense, either no good-faith effort was put forward OR no good-faith effort is communicated, is a serious and egregious breach of public trust, and thus deserving of strong and direct response, because if that pattern is practiced and encouraged, it undermines and eliminates any value in the Forum itself.<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:.5in'><o:p> </o:p></p><pre style='margin-left:.5in'>_______________________________________________<o:p></o:p></pre><pre style='margin-left:.5in'>Public mailing list<o:p></o:p></pre><pre style='margin-left:.5in'><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><o:p></o:p></pre><pre style='margin-left:.5in'><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p></div></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></blockquote></div><p class=MsoNormal style='margin-left:.5in'><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:.5in'>-- <o:p></o:p></p><div><div><div><div><div><div><div><p class=MsoNormal style='margin-left:.5in'><a href="https://konklone.com" target="_blank">konklone.com</a> | <a href="https://twitter.com/konklone" target="_blank">@konklone</a><o:p></o:p></p></div></div></div></div></div></div></div></div></div></body></html>