[cabfpub] Voting on Ballot 218
gerv at mozilla.org
Tue Jan 30 07:46:40 MST 2018
On 30/01/18 14:37, Kirk Hall via Public wrote:
> Tim – your argument is “who knows if any certs have been misissued under
> Method 1” could apply to all other methods. That’s not an argument that
> there HAVE been misissued certs. We have been using the method for many
> years at multiple companies for many major enterprises (who would
> certainly be targets for phishing),
Please can you stop conflating misissuance and phishing, as if the
latter is the only possible route to the former?
> Your second statement – that Symantec issued lots of certificates using
> Method 1 that DigiCert would never have issued – seems to imply you have
> found misissuance by Symantec.
No, it doesn't. It means that the level of assurance that it went to the
right person is not high enough for DigiCert, but they have no evidence
it went to the wrong person. It may have done; they don't know.
More information about the Public