<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 4, 2020 at 6:21 AM Paul van Brouwershaven via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><font color="#666666" face="Open Sans, Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size:14px">We got a lot of positive feedback using private channels, with the large majority of CA's indicating that they want to retain the
OU field and willing to support this proposal.</span></font></div></div></blockquote><div><br></div><div>That's great for you, I'm sure, but there's been zero progress on addressing the security risks. I want to make sure we're aligned in understanding here, in that this isn't a popularity contest, and that just because bad ideas that harm users also make money or allow CAs to keep doing the status quo doesn't somehow make them good ideas.</div><div><br></div><div>Unless, and until, there is meaningful, actionable progress on addressing the concrete issues raised here, I think the plan to forbid the OU needs to continue, and I believe it would be deeply irresponsible for Entrust to ignore these issues and present it as somehow CAs agreeing to keep the status quo.</div><div><br></div><div>As mentioned during the F2F, at length, every aspect of this proposal fails to improve the status quo, or meaningfully degrades it. While I'm encouraged to see Entrust thinking about risks, it should be abundantly clear to Entrust, and to those participants, that the proposed mitigation and scoring is unacceptable and failing to achieve the goal. Whether or not something is mitigated ultimately is determined by the browsers whose users are at risk, and CAs advocating for keeping the OU bear the burden of proof to actually demonstrate the goals are achieved, rather than, as taken in this approach, simply state.<br></div><div><br></div><div>Without qualification, we disagree with the conclusions presented here, believe that they are arbitrary or demonstrably false, and meaningfully harm the security of users and reliability of certificates by allowing arbitrary values that fundamentally cannot be validated, and which nothing of this latest round addresses. Statements like "Well, the Subscriber will be liable if something goes wrong" are, without question, nonsense, even though as a CA, I'm sure the appeal is great to make your responsibility and failing to uphold it somehow someone else's fault. Sorry, that's simply not how this works.</div></div></div>