[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Ryan Sleevi sleevi at google.com
Thu Apr 27 21:53:11 UTC 2017

We have. It isn't. Thus this proposal.

This was covered during the discussion, but I appreciate that it may not
have been closely followed. For example, during the discussion, it was
discussed concretely, not abstractly, as something to move forward with,
and this current proposal is the result of the discussion of the people who
graciously followed and participated in the discussion.

I appreciate your interest for alternative solutions, but I must admit, I
find it very counter-productive. I think it would be much more useful if
you could express, concretely, what concerns Entrust has. If there are
none, this seems - as others have noted - a useful simplification,
consistent with audits (for which browsers have spent time discussing with
WebTrust about, even prior to the recent events), and solves a whole host
of issues.

As Peter mentions, the overall process can be even more significantly
simplified - and more importantly, meaningful security objectives can be

I do not wish to feel your views are not heard, so if you have useful
contributions to share that might understand why this is not desirable,
this would be greatly appreciated. However, the current approach does seem
to be very disrespectful to the work and the effort that has been made to
engage - with auditors, CAs, and the community - on the topic, and while I
know it's only gaining attention because it's now progressing, perhaps you
can focus on the merits of the proposal rather than what you may
misunderstand as the motivations.

On Thu, Apr 27, 2017 at 5:10 PM, Kirk Hall via Public <public at cabforum.org>

> On your proposal at the end below (one auditor covers the CA and all
> subordinate DTPs) - that sounds like a good idea to me, so long as the main
> WebTrust auditor for MegaCA is able to subcontract certain audit tasks to
> qualified WebTrust auditors (perhaps with another company) who speak
> Freedonian.  The main auditor would be responsible for picking a qualified
> WebTrust auditor to do the work in Freedonia, and would roll the results
> into the main audit.
> We should perhaps check with Jeff Ward to see if this kind of link between
> two auditors is possible.
> -----Original Message-----
> From: geoffk at apple.com [mailto:geoffk at apple.com]
> Sent: Thursday, April 27, 2017 2:02 PM
> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
> Cc: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Forbid DTPs from doing Domain/IP Ownership
> Validation ballot draft
> > On 27 Apr 2017, at 11:57 am, Kirk Hall <Kirk.Hall at entrustdatacard.com>
> wrote:
>> > You have identified one case where an external RA (DTP) was not known to
> you -- I believe it was the Korean partner of Symantec, right?  Have you
> encountered any other cases that are similar?
> >
> > In the Symantec case, you and Google have taken major action involving
> Symantec, the Korean DTP, and I think even the Korean auditor.  Is that not
> sufficient?
> The point here is that we would like not to have to do that again.
> The problem wasn’t just one DTP; in fact, there were two distinct
> problems, there was one DTP who had an apparently clean audit but had some
> improperly issued certificates, and then when the audits for the other DTPs
> were examined, there were a variety of irregularities.  This proposal is
> addressing the second problem.
> > Why not require CAs to list all DTPs relied on as an appendix to their
> audits, with links to the related audits of the DTPs?  I think Geoff
> suggested something like that (and he was in the same meeting I was, and
> presumably heard all the same discussion I did - no malice there).
> Not exactly.  My alternative was that all the DTPs be audited in the same
> audit as the CA.  One audit report signed by one auditor, no links, no
> mismatched timeframes, no qualifications on the DTP that don’t get
> reflected in the CA’s audit, and definitely no missing audits.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170427/2a4938b4/attachment-0003.html>

More information about the Public mailing list