[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft
gerv at mozilla.org
Fri Apr 28 07:06:19 MST 2017
On 27/04/17 19:52, Kirk Hall wrote:
> Please humor me (and the rest of the members, and the public
> following this list). In one or two paragraphs, can you summarize
> your reasons?
I think that has been effectively done elsewhere in this thread. Fixing
audits to reliably include DTPs is very difficult. Taking the most
security-critical part and forbidding it from being done by third
parties solves the problem for that security-critical part. And no CA
has claimed (enterprise RAs aside) that they use this capability. So
eliminating it should be uncontroversial.
> How many cases have you encountered where a DTP can't be audited
> and/or has made mistakes?
Several. But it's the ones we haven't encountered which worry me.
More information about the Public