<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Dean and CABF members,<br>
<br>
Some of you may be aware - if nothing else through the<br>
press coverage - that efforts have been stepped up to deal<br>
with so-called robocalls that is more generally known<br>
within the many industry communities involved as <br>
anti-spoofing.<br>
<br>
Much of the work currently revolves around associating<br>
X.509 certs with telephone numbers - in blocs or individually.<br>
Central to this approach is the attached Internet Draft in<br>
a group known as stir. Although it is being treated as <br>
"last call," concerns have been raised as to its suitability.<br>
Indeed, the obvious question is why don't they simply<br>
use the Forum's specification and a class of EVcert for<br>
this purpose, including its OCSP provisions. That <br>
question hasn't been answered, and there is no known<br>
collaboration with the CABF.<br>
<br>
Some of the statements in this draft are flat wrong,<br>
such as that introduction statement that "...telephone <br>
numbers have long been a part of the X.509...." In addition,<br>
the identity construct "Service Provider Identifier (SPID)"<br>
is fuzzy at best and has no consistent global use. Also<br>
omitted is any treatment of Rec. ITU-T E.164 which is<br>
the global telephone identifier number space to which <br>
the certificates are being bound.<br>
<br>
Why should the CABF and its members care? For the <br>
CABF itself, that answer is that the EVcert specification<br>
is best of breed, scales well, and has many years of<br>
experience and evolution behind it.<br>
<br>
The OS/browser vendors should care because their <br>
platforms, tables, and apps will make use of the <br>
stir certificates. The CAs should care because the<br>
provision of certificates globally for this purpose<br>
is a major business opportunity that in many national<br>
jurisdictions will be the subject of regulatory provisions.<br>
<br>
--tony<br>
<br>
<br>
<br>
</body>
</html>