[cabfpub] Continuing the discussion on CAA

Peter Bowen pzb at amzn.com
Mon Oct 24 23:02:16 UTC 2016


Kirk,

I can comment on amazonaws.com.  AWS only has three CAs we use - Symantec/VeriSign, DigiCert, and Amazon.  

Here are some certificates that were not authorized by the domain registrant:
https://crt.sh/?id=31536432 <https://crt.sh/?id=31536432> (StartCom)
https://crt.sh/?id=30860174 <https://crt.sh/?id=30860174> (WoSign)
https://crt.sh/?id=30103632 <https://crt.sh/?id=30103632> (GlobalSign)
https://crt.sh/?id=42702005 <https://crt.sh/?id=42702005> (GeoTrust)
https://crt.sh/?id=3608723 <https://crt.sh/?id=3608723> (Vodafone)
https://crt.sh/?id=8271636 <https://crt.sh/?id=8271636> (Agencia Catalana de Certificacio)

I don’t believe these were ordered by people falling into either of the categories you list — they were not employees nor were they fraudsters.  I am sure the CAs followed one of the 3.2.2.4 methods and probably even followed a method that will still be allowed after ballot 169 comes into force.  However, I’m 100% confident that the domain owner would prefer to have all certificates using FQDNs and Wildcard DNs under the domain follow corporate policies.

Does that help?

Thanks,
Peter

> On Oct 24, 2016, at 2:04 PM, Kirk Hall via Public <public at cabforum.org> wrote:
> 
> Thanks Ryan – that is helpful.
>  
> Can you tell us who ordered the two certificates you listed?  By an employee, or by a fraudster?
>  
> In what way was the googleusercontent.com <http://googleusercontent.com/> cert “not authorized”?
>  
> From: Ryan Sleevi [mailto:sleevi at google.com <mailto:sleevi at google.com>] 
> Sent: Monday, October 24, 2016 1:58 PM
> To: Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com>>
> Cc: Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com>>; public at cabforum.org <mailto:public at cabforum.org>
> Subject: Re: [cabfpub] Continuing the discussion on CAA
>  
>  
>  
> On Mon, Oct 24, 2016 at 1:50 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com>> wrote:
> Ryan, your response is cryptic and confusing.  I think we are wasting time.
>  
> I literally and specifically gave you multiple examples - both of where CAA *could have* prevented unauthorized issuance to third parties and where CAA *has* prevented unauthorized issuace to third parties, with specific domain names and CAs.
>  
> I cannot help you if you are unable to participate in a technical discussion, but it's very clear that the bar is not "convince you", but "explain to you" - and the latter is something that's only possible if you're honestly interested in learning, which, at this point, I can only conclude is yet another attempt to avoid productive discussions.
>  
> Can you please avoid quoting other stuff (not sure what it proves or how it helps)
>  
> It shows me attempting to honestly engage in your request that I "restate whatever evidence you have"
>  
> and just lay out on the Public list your examples in simple English of cases where CAA would have prevented misissuance of a certificate to a fraudster not associated with the organization that owns or controls the domain requested?  I don’t believe this has explicitly been discussed on the Public list before.
>  
> And yet again, you're disrespectfully changing the conversation when it's been pointed out you're mistaken.
>  
> In this case, after providing you the examples you specifically claimed were absent, and reminding you of specific conversations you were part of in which they were answered, you've now suggested that they're insufficient because they weren't discussed on the public list. As the Chair, this does not bode well at all for the future of the Forum that you would engage in such tactics so brazenly.
>  
> I will attempt to repeat for you:
> googleusercontent.com <http://googleusercontent.com/>
> - Certs were not authorized, but conformed to 3.2.2.4. They were issued.
> - We added CAA
> - Certs are prevented now
>  
> amazonaws.com <http://amazonaws.com/>
> - Certs were not authorized, but conformed to 3.2.2.4. They were issued.
> - Amazon has not added CAA
> - Unauthorized certs are still possible
>  
> Microsoft Azure
> - Microsoft expressed repeatedly concerns with 3.2.2.4 about certs that were not authorized being issued.
>  
> I'm not sure how much simpler I can make it for you. But I'm certainly unwilling, at this point, to continue to engage with you on this topic, considering how dismissive you've been throughout the 2.5 years that we've been discussing this. Perhaps it would be better if someone more technically capable engaged on your behalf, so we can at least have productive discussions about where to draw the line between technical and policy solutions.
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161024/d3c9a549/attachment-0003.html>


More information about the Public mailing list