<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Jun 16, 2016 at 2:44 PM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>My suggestion was that the browsers be notified of those details but that they be redacted from the public document.</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Right, in case it wasn't clear:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>There is no desire from Google for any of this to happen in private. If at any part the answer is "Trust Google to have done due dilligence", that's simply a non-starter. That is not keeping the ecosystem risks in consideration, and is favoring a system that invites itself to compromise, coercion, or negligence.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I know that at least one Browser feels that openness is inconsistent with their principles. I can respect that, but I think we'd disagree. The issuance or non-issuance affects far more than just browsers or just financial services, and no special preferential treatment should be given to either those affected or those here in the Forum. If we are going to introduce security risks that threaten the entire ecosystem - from mobile devices, to IoT, to cars, to thermostats, to browsers, to server-side processing systems, and everything big or small that uses TLS with publicly trusted certificates, rightly or wrongly, then we need transparency.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>>>There’s transparency and then there’s security. We need to find the right balance. And that’s what I thought we did with the suggested cryptanalysis. Anyone can do it, everyone can see the results. Seems transparent to me. BTW-I didn’t say trust one browser. The intent was to provide info to all browsers. Unless all browsers are in collusion, this seemed like a fair request. <o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>As Jody stated in Bilbao, there is no point in exposing this information if it introduces security risks. He also said that we should be collectively trying to find a solution which involves compromise. To that end, I think Andrew has done a great job with his initial proposal, garnered from the discussion in Bilbao. But some fine tuning should be expected and hopefully we can find an amenable solution to all parties.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><br>Today I participated on a call with FS-ISAC members in which they expressed a security concern about the current procedure. Hence my comments.</span><o:p></o:p></p></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Care to elaborate what those concerns are, in the benefit of transparency and avoiding fear and uncertainty?<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>>>Exactly what I stated earlier. Giving out names puts a target on ones back and potentially releases security info. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I’m wondering if a separate working group type call could be held to mash out a final, recommended document and present to the forum members. I’m not suggesting a formal working group, rather a subset of the normal meeting call in group that can work together to propose a final document.</span><o:p></o:p></p></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Ultimately, I think it's up to each and every rootstore to separately evaluate what they see as appropriate risk to allow issuance, much in the same way they determine the appropriate risk to handle if a CA fails to follow those procedures.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Google's proposed a solution that embraces transparency, which we feel as a critical necessity for decisions that effectively put the entire TLS ecosystem at risk. It is unfortunate that others disagree. I think we're more than happy to entertain concrete concerns with the proposal, and absolutely amenable to change, but feel it's similarly necessary to have transparency over those discussions and concerns. As an organization frequently under the spotlight for matters of security, good and bad, I'm sure you can understand how important it is that there isn't an appearance of slinking off to smokey back rooms to hash it out in secret cabals. <o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>>>So far, everyone has been pretty open in our discussion and comments to the draft; following our forum rules. I hope we can continue this way. However, it would be good to come to conclusion soon given impending expirations of critical infrastructure certificates and impact to the financial ecosystem. Having said that, I know for a fact that some CAs are working hard with the affected vendors to try every possible alternative before resorting to the procedure discussed here. Thanks.<o:p></o:p></span></p></div></div></div></div></div></body></html>