[cabfpub] Misissuance of certificates

Rick Andrews Rick_Andrews at symantec.com
Wed Dec 9 19:39:15 MST 2015 

Ryan,

Yes, that’s what I mean by private (not subject to the BRs).

The concerns I raised still apply... today it is common practice for customers to use certificates from roots trusted by browsers for private and/or non-browser use cases. The ballot needs an implementation date in the future to allow us and other CAs time to implement options for customers that distinguish these private/non-browser certificates, to make sure customers are aware of how these new rules relate to the future disclosure of publicly-accessible certificates, and to allow customers to replace their existing certificates where needed. This is why we proposed the interim disclosure approach, where prior to that implementation date, disclosure would still happen, but with the subject details redacted.

-Rick

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Monday, December 07, 2015 3:49 PM
To: Rick Andrews
Cc: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Misissuance of certificates



On Mon, Dec 7, 2015 at 3:38 PM, Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>> wrote:
Sigbjørn,

While we agree with this proposal, it wouldn't address our key use case.

We've talked to very large customers about technically-constrained intermediates, and this is consistently not doable because their list of owned domains changes so frequently. After further consideration, issuing internal-only or non-browser certs from a private root is the most straightforward and comprehensive approach.

Rick,

When you say "private root", you mean a root that is exempted from the Baseline Requirements (presumably, because it is not a publicly trusted root), correct?

If that's a correct understanding, would it be fair to interpret your response as meaning that you withdraw your concerns, because they would not affect you? Or are there still concerns you feel with this proposal that, even under the scenario you described, would require modification to the proposed language?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151209/2499f410/attachment.html

More information about the Public mailing list