[cabfpub] Continuing the discussion on CAA

Mon Oct 24 21:10:14 UTC 2016

Kirk,

It's sad to see your promise was so short lived. That is, the " I promise I
will read the links carefully for the details you have provided. " promise
you made one hour ago.

Since your message is not appearing in the archives, I'll link you to the
reply in which I quoted you, in the hopes it will jog your memory of you
making that promise -
https://cabforum.org/pipermail/public/2016-October/008630.html

And then I'll link you to the post where I already answered this for you,
less than an hour ago, in the hopes it will continue to jog your memory:
https://cabforum.org/pipermail/public/2016-October/008630.html

Perhaps you can read the above link carefully for the details I have
provided? That'd be great. Thanks.

On Mon, Oct 24, 2016 at 2:04 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> Thanks Ryan – that is helpful.
>
>
>
> Can you tell us who ordered the two certificates you listed?  By an
> employee, or by a fraudster?
>
>
>
> In what way was the googleusercontent.com cert “not authorized”?
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Monday, October 24, 2016 1:58 PM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>
> *Cc:* Jeremy Rowley <jeremy.rowley at digicert.com>; public at cabforum.org
> *Subject:* Re: [cabfpub] Continuing the discussion on CAA
>
>
>
>
>
>
>
> On Mon, Oct 24, 2016 at 1:50 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
> wrote:
>
> Ryan, your response is cryptic and confusing.  I think we are wasting time.
>
>
>
> I literally and specifically gave you multiple examples - both of where
> CAA *could have* prevented unauthorized issuance to third parties and where
> CAA *has* prevented unauthorized issuace to third parties, with specific
> domain names and CAs.
>
>
>
> I cannot help you if you are unable to participate in a technical
> discussion, but it's very clear that the bar is not "convince you", but
> "explain to you" - and the latter is something that's only possible if
> you're honestly interested in learning, which, at this point, I can only
> conclude is yet another attempt to avoid productive discussions.
>
>
>
> Can you please avoid quoting other stuff (not sure what it proves or how
> it helps)
>
>
>
> It shows me attempting to honestly engage in your request that I "restate
> whatever evidence you have"
>
>
>
> and just lay out on the Public list your examples in simple English of
> cases where CAA would have prevented misissuance of a certificate to a
> fraudster not associated with the organization that owns or controls the
> domain requested?  I don’t believe this has explicitly been discussed on
> the Public list before.
>
>
>
> And yet again, you're disrespectfully changing the conversation when it's
> been pointed out you're mistaken.
>
>
>
> In this case, after providing you the examples you specifically claimed
> were absent, and reminding you of specific conversations you were part of
> in which they were answered, you've now suggested that they're insufficient
> because they weren't discussed on the public list. As the Chair, this does
> not bode well at all for the future of the Forum that you would engage in
> such tactics so brazenly.
>
>
>
> I will attempt to repeat for you:
>
> googleusercontent.com
>
> - Certs were not authorized, but conformed to 3.2.2.4. They were issued.
>
> - We added CAA
>
> - Certs are prevented now
>
>
>
> amazonaws.com
>
> - Certs were not authorized, but conformed to 3.2.2.4. They were issued.
>
> - Amazon has not added CAA
>
> - Unauthorized certs are still possible
>
>
>
> Microsoft Azure
>
> - Microsoft expressed repeatedly concerns with 3.2.2.4 about certs that
> were not authorized being issued.
>
>
>
> I'm not sure how much simpler I can make it for you. But I'm certainly
> unwilling, at this point, to continue to engage with you on this topic,
> considering how dismissive you've been throughout the 2.5 years that we've
> been discussing this. Perhaps it would be better if someone more
> technically capable engaged on your behalf, so we can at least have
> productive discussions about where to draw the line between technical and
> policy solutions.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161024/5976d1fa/attachment-0003.html>