[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Ryan Sleevi sleevi at google.com
Thu Apr 27 21:59:42 UTC 2017


On Thu, Apr 27, 2017 at 2:57 PM, Kirk Hall via Public <public at cabforum.org>
wrote:

> You have identified one case where an external RA (DTP) was not known to
> you -- I believe it was the Korean partner of Symantec, right?  Have you
> encountered any other cases that are similar?
>

This is, unfortunately, not correct, but I can appreciate and understand if
you have not been following those discussions and developments in the
industry. Even in the example you cite, there have been at least 6 DTPs
affirmatively identified (from a reported set of 4), performing various
validation functions in TLS-enabled infrastructure, with an additional
unbounded and unknown set.

More importantly to the discussion, however, and thus eliminating the
majority of your remaining concerns - although perhaps you did not
contribute because you were not following the conversation - was that no
other member has identified any use of DTPs for domain validation. So your
concerns, while well meaning, are not backed in the facts publicly
available. If you have details to share publicly, I'm sure it would be most
welcome.


> Why not require CAs to list all DTPs relied on as an appendix to their
> audits, with links to the related audits of the DTPs?  I think Geoff
> suggested something like that (and he was in the same meeting I was, and
> presumably heard all the same discussion I did - no malice there).
>

I did address this already on the list, in
https://cabforum.org/pipermail/public/2017-April/010767.html

I do hope you find that reply useful to understand the discussions that
already took place or have been taking place some time.

As mentioned on my most recent e-mail, it would be most useful for you to
share details about Entrust. I appreciate your concern for the
hypotheticals, but as no one, besides you raising them in the abstract, has
raised them, it does seem rather disrespectful to the many attempts at
productive discussion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170427/1c2fbd5c/attachment-0003.html>


More information about the Public mailing list