<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Exactly, Geoff – that was my thinking.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Ryan, no I wasn’t out of the room when you and Gerv were speaking (why would you ask something like that?), and I’m aware that a particular non-US DTP made mistakes
in domain verification (and apparently its audit was not sufficient). But failure of one DTP and one audit does not mean that all DTPs and all audits have failed, and if I understand correctly, Google and Mozilla are holding the CA that used the DTP responsible
for the problems. So I’m not sure why that isn’t sufficient. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> geoffk@apple.com [mailto:geoffk@apple.com]
<br>
<b>Sent:</b> Wednesday, April 26, 2017 5:47 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Cc:</b> Ryan Sleevi <sleevi@google.com>; Kirk Hall <Kirk.Hall@entrustdatacard.com><br>
<b>Subject:</b> Re: [cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 26 Apr 2017, at 5:12 pm, Kirk Hall via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Ryan, you kind of skipped over a core rationale for this draft ballot – that it’s somehow too hard to audit DTPs (at least as to their domain validation activities). Why is
it too hard?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Here is what the Purpose section of the ballot says:</span><o:p></o:p></p>
</div>
<div style="margin-left:.5in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Purpose of Ballot:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">At the moment, CAs are permitted
to delegate the process of domain and IP address validation.<span class="apple-converted-space"> </span><b><u>However, permitting such delegations is problematic due to the way audits work - the auditing of such work may or may not be required and, if it is,
those audit documents may not make it back to root programs for consideration</u></b>. Although the audit situation also needs fixing, domain validation is an important enough component of a CA's core competencies that it seems wiser to remove it from the
larger problem and forbid its delegation. The purpose of this ballot is to ensure that CAs or their Affiliates are always the ones performing domain/IP address ownership validation for certificates that CA is responsible for.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Can you and/or Gerv explain why auditing of DTPs can’t be fixed? </span><o:p></o:p></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">An alternative approach would be to require that audits include all DTPs involved in domain validation (or, all DTPs no matter what they do) in the scope of the CA’s audit; so there would be one audit which covers the CA and all DTPs over
the audit timeframe. My understanding from the discussion at the last F2F is that the auditors and CAs did not think this would be feasible in typical cases.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>