[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Ryan Sleevi sleevi at google.com
Thu Apr 27 00:36:43 UTC 2017

On Wed, Apr 26, 2017 at 8:12 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>

> Ryan, you kind of skipped over a core rationale for this draft ballot –
> that it’s somehow too hard to audit DTPs (at least as to their domain
> validation activities).  Why is it too hard?
> Here is what the Purpose section of the ballot says:
> *Purpose of Ballot: *At the moment, CAs are permitted to delegate the
> process of domain and IP address validation. *However, permitting such
> delegations is problematic due to the way audits work - the auditing of
> such work may or may not be required and, if it is, those audit documents
> may not make it back to root programs for consideration*. Although the
> audit situation also needs fixing, domain validation is an important enough
> component of a CA's core competencies that it seems wiser to remove it from
> the larger problem and forbid its delegation. The purpose of this ballot is
> to ensure that CAs or their Affiliates are always the ones performing
> domain/IP address ownership validation for certificates that CA is
> responsible for.
> Can you and/or Gerv explain why auditing of DTPs can’t be fixed?

I'm not sure I understand the purpose of your question, or how that helps
us make productive discussion. We actually spent quite a bit of time
explaining this at the F2F, but you may have stepped out of the room. I
know you were there for part of it, but perhaps there were other things you
were focused on.

Let's say that neither Gerv and I are mistating the difficulty - that it is
difficult, and that it won't happen in a timely fashion to the security
concerns - do you believe this ballot would cause any harm to Entrust's
operations that we should be aware of? Do you believe this would present
difficulty to adopt?

The answers to those questions help inform and make progress. I can
appreciate that you're curious to understand, and while I don't want to
discourage that, I must admit I find it somewhat disheartening that you did
not participate in the discussions in which this has been explained, or the
discussions with our auditor friends on this matter. Recognizing this, it
might be useful for a good faith discussion to assume we're telling the
truth, and focus on the outcome, rather than the rationale, that way, even
if you disagree with the rationale, if the outcome does not negatively
affect Entrust's operations, it's a net win. It also reduces the amount of
emails for members who have been following and participating in these
discussions, understand the concerns, and are rightfully focused on
minimizing impact.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170426/ed040d69/attachment-0003.html>

More information about the Public mailing list