[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Gervase Markham gerv at mozilla.org
Fri Apr 28 14:06:19 UTC 2017

On 27/04/17 19:52, Kirk Hall wrote:
> Please humor me (and the rest of the members, and the public
> following this list).  In one or two paragraphs, can you summarize
> your reasons?

I think that has been effectively done elsewhere in this thread. Fixing
audits to reliably include DTPs is very difficult. Taking the most
security-critical part and forbidding it from being done by third
parties solves the problem for that security-critical part. And no CA
has claimed (enterprise RAs aside) that they use this capability. So
eliminating it should be uncontroversial.

> How many cases have you encountered where a DTP can't be audited
> and/or has made mistakes?

Several. But it's the ones we haven't encountered which worry me.


More information about the Public mailing list