[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Apr 27 18:57:23 UTC 2017

See my prior message.  Again, all I remember was statements that you were thinking about this, but I wasn't aware we all had to decide based solely on your comments at the meeting.  Why would you even raise the issue of malice on my part?

You have identified one case where an external RA (DTP) was not known to you -- I believe it was the Korean partner of Symantec, right?  Have you encountered any other cases that are similar?

In the Symantec case, you and Google have taken major action involving Symantec, the Korean DTP, and I think even the Korean auditor.  Is that not sufficient?

Why not require CAs to list all DTPs relied on as an appendix to their audits, with links to the related audits of the DTPs?  I think Geoff suggested something like that (and he was in the same meeting I was, and presumably heard all the same discussion I did - no malice there).

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, April 27, 2017 9:58 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>; geoffk at apple.com
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

On 27/04/17 01:58, Kirk Hall via Public wrote:
> Ryan, no I wasn’t out of the room when you and Gerv were speaking (why 
> would you ask something like that?),

Perhaps because he wants to not attribute any malice to your claims that you are entirely unfamiliar with this discussion, and therefore it has to be restarted to bring you up to speed? :-)

> and I’m aware that a particular
> non-US DTP made mistakes in domain verification (and apparently its 
> audit was not sufficient).  But failure of one DTP and one audit does 
> not mean that all DTPs and all audits have failed, and if I understand 
> correctly, Google and Mozilla are holding the CA that used the DTP 
> responsible for the problems.  So I’m not sure why that isn’t sufficient.

Because the audit of this DTP was not reported to us in the normal course of operations; it came to light only somewhat by chance.
Therefore, we have no assurance of the scope of this problem.

As noted previous, no CA at the face-to-face said this would be a problem for them, so unless there were CAs not in attendance who would like to make their feelings known, I hope that the principle of this ballot will not prove problematic. (Yes, we need to fix the Enterprise RA case.)


More information about the Public mailing list