[cabfpub] Posted on behalf of customer
Ryan Sleevi
sleevi at google.com
Tue Dec 13 23:10:51 UTC 2016
On Tue, Dec 13, 2016 at 2:59 PM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:
> As I said below, much like you did with Rich’s post, I’m just posting this
> on behalf of FD. I’m sure they will have a response for you. But here’s
> what I think:
>
>
> The items brought up in Gerv’s prior thread that you highlight below were
> all addressed at one time or another. For example:
>
> https://cabforum.org/pipermail/public/2016-October/008492.html
>
> https://cabforum.org/pipermail/public/2016-October/008510.html
>
> https://cabforum.org/pipermail/public/2016-October/008545.html
>
> https://cabforum.org/pipermail/public/2016-October/008553.html
>
>
>
> The “new” information appears to be a question of “fairness” in the way
> the forum has treated two independent companies in their exception requests.
>
This doesn't seem terribly new information. Indeed, you previously
responded in https://cabforum.org/pipermail/public/2016-October/008492.html
regarding it, and we'd discussed in further in
https://cabforum.org/pipermail/public/2016-October/008583.html . That's why
I thought it already addressed
There was the TSYS request -
https://cabforum.org/pipermail/public/2016-July/008101.html - which
Symantec demonstrated multiple failures in following that process, and
which the community failed to detect all of them (perhaps, in part, because
of otherwise more pronounced surprises)
And there was Worldpay, which was itself exceptional and prior to any
formalized process to evaluate and mitigate both immediate and ecosystem
risk. Further, as part of the WorldPay allowance, it was restricted to 90
days and expiring on/before 2016-12-31 (
https://groups.google.com/d/msg/mozilla.dev.security.policy/RHBHXJOG8Io/FJuaWeXAAQAJ
)
That's why I'm trying to understand what new information there is. Without
wanting to speak to other programs, if we were using TSYS as the baseline
to evaluate against, than First Data's request should not have been
accepted, given Symantec's inability to follow procedures (
https://cabforum.org/pipermail/public/2016-July/007986.html and the
aforementioned known issues). So while it's possible to question fairness,
it seems equally possible to question whether Symantec should have been
allowed to issue such certificates in the first place.
Is there some detail I'm missing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161213/ef686e8f/attachment-0003.html>
More information about the Public
mailing list