<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 13, 2016 at 2:59 PM, Dean Coclin <span dir="ltr"><<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_-5351924772427320289WordSection1"><p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)">As I said below, much like you did with Rich’s post, I’m just posting this on behalf of FD. I’m sure they will have a response for you. But here’s what I think:<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)"><br>The items brought up in Gerv’s prior thread that you highlight below were all addressed at one time or another. For example:<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)"><a href="https://cabforum.org/pipermail/public/2016-October/008492.html" target="_blank">https://cabforum.org/<wbr>pipermail/public/2016-October/<wbr>008492.html</a><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)"><a href="https://cabforum.org/pipermail/public/2016-October/008510.html" target="_blank">https://cabforum.org/<wbr>pipermail/public/2016-October/<wbr>008510.html</a> <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)"><a href="https://cabforum.org/pipermail/public/2016-October/008545.html" target="_blank">https://cabforum.org/<wbr>pipermail/public/2016-October/<wbr>008545.html</a><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)"><a href="https://cabforum.org/pipermail/public/2016-October/008553.html" target="_blank">https://cabforum.org/<wbr>pipermail/public/2016-October/<wbr>008553.html</a><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)">The “new” information appears to be a question of “fairness” in the way the forum has treated two independent companies in their exception requests.</span></p></div></div></blockquote><div><br></div><div>This doesn't seem terribly new information. Indeed, you previously responded in <a href="https://cabforum.org/pipermail/public/2016-October/008492.html">https://cabforum.org/pipermail/public/2016-October/008492.html</a> regarding it, and we'd discussed in further in <a href="https://cabforum.org/pipermail/public/2016-October/008583.html">https://cabforum.org/pipermail/public/2016-October/008583.html</a> . That's why I thought it already addressed</div><div><br></div><div>There was the TSYS request - <a href="https://cabforum.org/pipermail/public/2016-July/008101.html">https://cabforum.org/pipermail/public/2016-July/008101.html</a> - which Symantec demonstrated multiple failures in following that process, and which the community failed to detect all of them (perhaps, in part, because of otherwise more pronounced surprises)</div><div>And there was Worldpay, which was itself exceptional and prior to any formalized process to evaluate and mitigate both immediate and ecosystem risk. Further, as part of the WorldPay allowance, it was restricted to 90 days and expiring on/before 2016-12-31 ( <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/RHBHXJOG8Io/FJuaWeXAAQAJ">https://groups.google.com/d/msg/mozilla.dev.security.policy/RHBHXJOG8Io/FJuaWeXAAQAJ</a> )</div><div><br></div><div>That's why I'm trying to understand what new information there is. Without wanting to speak to other programs, if we were using TSYS as the baseline to evaluate against, than First Data's request should not have been accepted, given Symantec's inability to follow procedures ( <a href="https://cabforum.org/pipermail/public/2016-July/007986.html">https://cabforum.org/pipermail/public/2016-July/007986.html</a> and the aforementioned known issues). So while it's possible to question fairness, it seems equally possible to question whether Symantec should have been allowed to issue such certificates in the first place.</div><div><br></div><div>Is there some detail I'm missing?</div></div></div></div>