[cabfpub] [cabfman] Ballot 92 - Subject Alternative Names

Steve Roylance steve.roylance at globalsign.com
Fri Nov 16 19:28:56 UTC 2012

Hi Wayne,

I'm behind you all the way on the education front.   That's really important
for all parties as certificates are difficult to understand and prone to
mistakes by subscribers especially if it's not clear what they are agreeing
to when they purchase.  A consistent approach is promised by the Base
Requirements however today the approach is not consistent as there are too
many variables that were not adequately tied down in the final document.
That is what this ballot attempts to fix.

ICANN suggested improvements to their industry in 2002
(http://www.icann.org/en/news/announcements/announcement-03sep02-en.htm )
in 2012 it's still ongoing.

In this ballot we are suggesting improvements to ours, so lets hope we can
all find an accord that works.

We listened to the feedback last time and amended the ballot accordingly to
ensure we were not misleading anyone.


From:  Wayne Thayer <wthayer at godaddy.com>
Date:  Friday, 16 November 2012 18:26
To:  CABForum Management <management at cabforum.org>, "public at cabforum.org"
<public at cabforum.org>
Subject:  Re: [cabfman] [cabfpub]  Ballot 92 - Subject Alternative Names

The question is not if it's "acceptable to continue", but if there is
evidence to show that banning a wide swath of DV issuance is an effective
improvement that merits the increased cost and effort that it requires of

The "evidence" shown so far has been a hypothetical threat that a relying
party would trust a DV certificate in a situation where an OV certificate
would be distrusted due to the additional information contained in the O
field.  In addition, it has been stated that the validation process for an
OV cert provides better traceability and presents an overall "higher bar" to
deter a malicious applicant.

The first assertion assumes that the relying party is going to drill into
the certificate details to examine the O field before trusting the cert.
The second assertion implies that the standard for getting an "individual"
OV cert is a significantly higher bar.  That requires the applicant to
submit a copy of a photo ID and a copy of a utility bill.  That's our idea
of raising the bar?

I think we'd all be better off if we focus on educating our customers about
the benefits of different types of certs and then letting them choose,
rather than continuing to try to mandate their behavior.

Meanwhile, if this ballot is approved, a lot of people relying on publicly
trusted certs for completely private systems will have been misled by the
CAB Forum's original 2015 deadline and be immediately forced to buy OV.



> -------- Original Message --------
> Subject: Re: [cabfpub] [cabfman]  Ballot 92 - Subject Alternative Names
> From: Steve Roylance <steve.roylance at globalsign.com>
> Date: Fri, November 16, 2012 10:33 am
> To: "kirk_hall at trendmicro.com" <kirk_hall at trendmicro.com>
> Cc: 'CABForum Management' <management at cabforum.org>,
> "public at cabforum.org" <public at cabforum.org>
> Kirk,
> It is NOT meant to prohibit  all types of DV SANs
> It is meant to prohibit DV SANs under certain conditions i.e. where non unique
> information is contained, or Public IPs are used, or there is a mixture of
> owners as detailed by the domain registration.
> If you own kirk.com <http://kirk.com>  and finewineexpert.com
> <http://finewineexpert.com>  then you can have both inside if they are
> registered to you.
> Please read the text again carefully and highlight which situation you
> specifically don't agree with and why you feel it's acceptable to continue.
> Steve
> From:  "kirk_hall at trendmicro.com" <kirk_hall at trendmicro.com>
> Date:  Friday, 16 November 2012 17:24
> To:  CABForum Management <management at cabforum.org>, "public at cabforum.org"
> <public at cabforum.org>
> Subject:  Re: [cabfman] [cabfpub] Ballot 92 - Subject Alternative Names
> To help members evaluate Ballot 92 we are attaching a side-by-side comparison
> of current Baseline Requirements language with the proposed new language.  As
> before, the intent of this ballot is to prohibit DV SANs certificates, which
> we will oppose.
> Trend Micro does not issue DV certificates, but we think they serve a valuable
> security function in increasing the use of SSL.  Forcing customers to buy OV
> certs instead is anti-competitive and will likely lead to less use of SSL to
> secure sites.
> The information contained in this email and any attachments is confidentialand
> may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
>  _______________________________________________ Management mailing list
> Management at cabforum.org https://cabforum.org/mailman/listinfo/management
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
_______________________________________________ Management mailing list
Management at cabforum.org https://cabforum.org/mailman/listinfo/management

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121116/a8be3220/attachment-0004.html>

More information about the Public mailing list