<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 30, 2018 at 9:37 AM, Kirk Hall via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-8756895889536069651WordSection1"><p class="MsoNormal"><span style="color:#1f497d">Tim – your argument is “who knows if any certs have been misissued under Method 1” could apply to all other methods. That’s not an argument that there HAVE been misissued certs. We have been using the method for many years at multiple companies for many major enterprises (who would certainly be targets for phishing), and no one has ever reported a single case of misissuance. I think that’s pretty conclusive versus a “who knows” argument.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Your second statement – that Symantec issued lots of certificates using Method 1 that DigiCert would never have issued – seems to imply you have found misissuance by Symantec. If so, you should probably file an Incident Report on the Mozilla list and revoke the certs in question. If you don’t do that, we have to assume the certs were not misissued.</span></p></div></div></blockquote><div><br></div><div>This is the fundamental disagreement, and is the same as the discussion regarding "Any Other Method".</div><div><br></div><div>A CA that views "misissuance" solely as "Violated the BRs" is a CA that fails to understand how security works, and puts the ecosystem at risk.</div><div>A CA that views "misissuance" as "Does not provide the level of assurance that the BRs, in ideal conditions, is meant to assure" is a CA that is proactively taking steps to ensure Web security.</div><div><br></div><div>This highlights the apparent disconnect between these two statements.</div><div><br></div><div>DigiCert has highlighted multiple certificates they believe that fully comply with the language, as written, but fail to meet the understanding or objectives of the Web PKI (at best), and may not have been authorized (at worst). You've repeatedly taken the position that "Compliance is proof that it's not misissuance", while multiple members have attempted, over the years, to highlight that compliance, without understanding or meeting the objectives of said compliance, is insufficient.</div><div><br></div><div>Entrust appears to be taking the position that because they fully complied with the BRs, there is no harm done, which is to grossly misunderstand the BRs and security. It also misunderstands that what a CA, such as Entrust, claims to practice (and how they may claim to mitigate the risks, although no mitigations for the many identified risks have been offered), is different from what the BRs permit, and it is the latter that is far, far more concerning to the stability and security of the ecosystem.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-8756895889536069651WordSection1"><p class="MsoNormal"><span style="color:#1f497d"><u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">If you can’t provide any facts showing misissuance of any cert using Method 1, please stop saying that there has been misissuance.<u></u><u></u></span></p><p class="MsoNormal"><a name="m_-8756895889536069651__MailEndCompose"><span style="color:#1f497d"><u></u> <u></u></span></a></p><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b>From:</b> Tim Hollebeek [mailto:<a href="mailto:tim.hollebeek@digicert.com" target="_blank">tim.hollebeek@<wbr>digicert.com</a>] <br><b>Sent:</b> Tuesday, January 30, 2018 9:27 AM<br><b>To:</b> Kirk Hall <<a href="mailto:Kirk.Hall@entrustdatacard.com" target="_blank">Kirk.Hall@entrustdatacard.com</a><wbr>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>>; Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com" target="_blank">Bruce.Morton@entrustdatacard.<wbr>com</a>><br><b>Subject:</b> [EXTERNAL]RE: Voting on Ballot 218<u></u><u></u></p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">> There have been no cases of misissuance using Method 1 over roughly 20 years<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">You guys have been told repeatedly that you have no evidence this statement is true. You need to stop saying it.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The truth is it is extremely hard to “misissue“ a certificate using method 1, precisely because it is so weak. Some of the certificates issued using method 1 probably went to people they shouldn’t have gone to. We have no idea how many, because the CAs used method 1, which doesn’t validate much!<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Symantec issued lots of certificates in full compliance with method 1 that DigiCert would never have issued. Attempting to spin that into a rosy picture of 20 years of wonderfulness is a huge stretch.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">-Tim<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div><br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br></div></div>