[cabfpub] Posted on behalf of customer

Eric Mill eric at konklone.com
Wed Dec 14 07:15:01 UTC 2016 

On Tue, Dec 13, 2016 at 6:10 PM, Ryan Sleevi via Public <public at cabforum.org
> wrote:

>
>
> On Tue, Dec 13, 2016 at 2:59 PM, Dean Coclin <Dean_Coclin at symantec.com>
> wrote:
>
>> As I said below, much like you did with Rich’s post, I’m just posting
>> this on behalf of FD. I’m sure they will have a response for you. But
>> here’s what I think:
>>
>>
>> The items brought up in Gerv’s prior thread that you highlight below were
>> all addressed at one time or another. For example:
>>
>> https://cabforum.org/pipermail/public/2016-October/008492.html
>>
>> https://cabforum.org/pipermail/public/2016-October/008510.html
>>
>> https://cabforum.org/pipermail/public/2016-October/008545.html
>>
>> https://cabforum.org/pipermail/public/2016-October/008553.html
>>
>>
>>
>> The “new” information appears to be a question of “fairness” in the way
>> the forum has treated two independent companies in their exception requests.
>>
>
> This doesn't seem terribly new information. Indeed, you previously
> responded in https://cabforum.org/pipermail/public/2016-October/
> 008492.html regarding it, and we'd discussed in further in
> https://cabforum.org/pipermail/public/2016-October/008583.html . That's
> why I thought it already addressed
>
> There was the TSYS request - https://cabforum.org/
> pipermail/public/2016-July/008101.html - which Symantec demonstrated
> multiple failures in following that process, and which the community failed
> to detect all of them (perhaps, in part, because of otherwise more
> pronounced surprises)
> And there was Worldpay, which was itself exceptional and prior to any
> formalized process to evaluate and mitigate both immediate and ecosystem
> risk. Further, as part of the WorldPay allowance, it was restricted to 90
> days and expiring on/before 2016-12-31 ( https://groups.google.com/d/
> msg/mozilla.dev.security.policy/RHBHXJOG8Io/FJuaWeXAAQAJ )
>
> That's why I'm trying to understand what new information there is. Without
> wanting to speak to other programs, if we were using TSYS as the baseline
> to evaluate against, than First Data's request should not have been
> accepted, given Symantec's inability to follow procedures (
> https://cabforum.org/pipermail/public/2016-July/007986.html and the
> aforementioned known issues). So while it's possible to question fairness,
> it seems equally possible to question whether Symantec should have been
> allowed to issue such certificates in the first place.
>

If Symantec's request was granted despite not following the procedures, the
browsers who reviewed and approved the request share some significant
culpability too. Collectively, it's CABF's fault, especially since the
process is designed to be adjudicated in the CABF public forum by CABF
members.

First Data is pointing to its request getting a different outcome from
TSYS. The reason for the difference seems to be, as stated by browsers now
and at the time, that TSYS' request _should_ have been limited to 12/31 by
the letter of the process, and so browsers didn't want to replicate the
mistake a second time.

However, that decision absolutely opens the Forum up to criticism, since
the Forum is responding to its failure to abide by its own process for TSYS
by penalizing an organization (First Data) that is neither the Forum nor
TSYS. CABF members, especially browsers, frequently point out that entities
that create risk to the ecosystem should bear the cost of that choice,
rather than having the ecosystem absorb that cost for them.

I think the Forum should give First Data the extension to their requested
date. I think it shoudl also consider updating the process to extend the
notAfter deadline to February so that future exceptions, if they are
granted at all, can remain consistent with the text. This way, the Forum
avoids the perception and reality of conferring competitive advantage to an
unaffiliated company, and the policy avoids being inconsistent with the
results of (as of now) 50% of its uses.

-- Eric


>
> Is there some detail I'm missing?
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>


-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161214/c2b40fe8/attachment-0003.html>

More information about the Public mailing list