<div dir="ltr">We have. It isn't. Thus this proposal.<div><br></div><div>This was covered during the discussion, but I appreciate that it may not have been closely followed. For example, during the discussion, it was discussed concretely, not abstractly, as something to move forward with, and this current proposal is the result of the discussion of the people who graciously followed and participated in the discussion.</div><div><br></div><div>I appreciate your interest for alternative solutions, but I must admit, I find it very counter-productive. I think it would be much more useful if you could express, concretely, what concerns Entrust has. If there are none, this seems - as others have noted - a useful simplification, consistent with audits (for which browsers have spent time discussing with WebTrust about, even prior to the recent events), and solves a whole host of issues.</div><div><br></div><div>As Peter mentions, the overall process can be even more significantly simplified - and more importantly, meaningful security objectives can be obtained.</div><div><br></div><div>I do not wish to feel your views are not heard, so if you have useful contributions to share that might understand why this is not desirable, this would be greatly appreciated. However, the current approach does seem to be very disrespectful to the work and the effort that has been made to engage - with auditors, CAs, and the community - on the topic, and while I know it's only gaining attention because it's now progressing, perhaps you can focus on the merits of the proposal rather than what you may misunderstand as the motivations.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 27, 2017 at 5:10 PM, Kirk Hall via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On your proposal at the end below (one auditor covers the CA and all subordinate DTPs) - that sounds like a good idea to me, so long as the main WebTrust auditor for MegaCA is able to subcontract certain audit tasks to qualified WebTrust auditors (perhaps with another company) who speak Freedonian. The main auditor would be responsible for picking a qualified WebTrust auditor to do the work in Freedonia, and would roll the results into the main audit.<br>
<br>
We should perhaps check with Jeff Ward to see if this kind of link between two auditors is possible.<br>
<span class="im HOEnZb"><br>
-----Original Message-----<br>
From: <a href="mailto:geoffk@apple.com">geoffk@apple.com</a> [mailto:<a href="mailto:geoffk@apple.com">geoffk@apple.com</a>]<br>
Sent: Thursday, April 27, 2017 2:02 PM<br>
To: Kirk Hall <<a href="mailto:Kirk.Hall@entrustdatacard.com">Kirk.Hall@entrustdatacard.com</a><wbr>><br>
</span><div class="HOEnZb"><div class="h5">Cc: Gervase Markham <<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
Subject: Re: [cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft<br>
<br>
<br>
> On 27 Apr 2017, at 11:57 am, Kirk Hall <<a href="mailto:Kirk.Hall@entrustdatacard.com">Kirk.Hall@entrustdatacard.com</a><wbr>> wrote:<br>
…<br>
> You have identified one case where an external RA (DTP) was not known to you -- I believe it was the Korean partner of Symantec, right? Have you encountered any other cases that are similar?<br>
><br>
> In the Symantec case, you and Google have taken major action involving Symantec, the Korean DTP, and I think even the Korean auditor. Is that not sufficient?<br>
<br>
The point here is that we would like not to have to do that again.<br>
<br>
The problem wasn’t just one DTP; in fact, there were two distinct problems, there was one DTP who had an apparently clean audit but had some improperly issued certificates, and then when the audits for the other DTPs were examined, there were a variety of irregularities. This proposal is addressing the second problem.<br>
<br>
> Why not require CAs to list all DTPs relied on as an appendix to their audits, with links to the related audits of the DTPs? I think Geoff suggested something like that (and he was in the same meeting I was, and presumably heard all the same discussion I did - no malice there).<br>
<br>
Not exactly. My alternative was that all the DTPs be audited in the same audit as the CA. One audit report signed by one auditor, no links, no mismatched timeframes, no qualifications on the DTP that don’t get reflected in the CA’s audit, and definitely no missing audits.<br>
<br>
</div></div><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
</div></div></blockquote></div><br></div>