[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Apr 27 18:52:46 UTC 2017


Gerv, I do remember lots of discussion, but sometimes the main points don't stand out.  At that time, I think you were just musing about a possible rule change.  Now that it's concrete, we really need hard reasons on why requiring audits for external RAs (DTPs) don't work, and why the rules can't be fixed, before we vote on outlawing DTPs.

Please humor me (and the rest of the members, and the public following this list).  In one or two paragraphs, can you summarize your reasons?

How many cases have you encountered where a DTP can't be audited and/or has made mistakes?

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, April 27, 2017 9:36 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [EXTERNAL][cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

On 26/04/17 23:05, Kirk Hall wrote:
> Gerv, I’m late to the discussion on this.  By can you start at the 
> beginning, and explain why you believe DTPs should not be permitted to 
> perform domain validation under any circumstances?

We did have this discussion at the face-to-face, and I'm fairly sure you were present, as it was with the whole room. It's somewhat frustrating that this is not yet reflected in the minutes. But perhaps you can rack your memory? :-)

> Clearly the work of all DTPs should be audited, and the DTP part of 
> the audit should roll up somehow into the issuing CA’s audit.  I know 
> that can be complex (and under current rules, may be hard for browsers 
> to monitor and feel confident they understand the ENTIRE network of 
> DTPs, etc. used by the CA under each root).  But it can be done.

As noted at the time, the audit situation needs fixing, but fixing it is difficult and will be time-consuming. Domain validation is an important enough CA function that we feel it should be done in-house in all cases, and taken out of the audit quagmire with a simple ban. No CA came forward at the face-to-face to say this would be a problem for them.

Gerv


More information about the Public mailing list