[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Geoff Keating geoffk at apple.com
Thu Apr 27 14:02:17 MST 2017


> On 27 Apr 2017, at 11:57 am, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
…
> You have identified one case where an external RA (DTP) was not known to you -- I believe it was the Korean partner of Symantec, right?  Have you encountered any other cases that are similar?
> 
> In the Symantec case, you and Google have taken major action involving Symantec, the Korean DTP, and I think even the Korean auditor.  Is that not sufficient?

The point here is that we would like not to have to do that again.

The problem wasn’t just one DTP; in fact, there were two distinct problems, there was one DTP who had an apparently clean audit but had some improperly issued certificates, and then when the audits for the other DTPs were examined, there were a variety of irregularities.  This proposal is addressing the second problem.

> Why not require CAs to list all DTPs relied on as an appendix to their audits, with links to the related audits of the DTPs?  I think Geoff suggested something like that (and he was in the same meeting I was, and presumably heard all the same discussion I did - no malice there).

Not exactly.  My alternative was that all the DTPs be audited in the same audit as the CA.  One audit report signed by one auditor, no links, no mismatched timeframes, no qualifications on the DTP that don’t get reflected in the CA’s audit, and definitely no missing audits.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170427/22aea99b/attachment.bin>


More information about the Public mailing list