[cabfpub] Voting on Ballot 218
sleevi at google.com
Tue Jan 30 07:49:08 MST 2018
On Tue, Jan 30, 2018 at 9:37 AM, Kirk Hall via Public <public at cabforum.org>
> Tim – your argument is “who knows if any certs have been misissued under
> Method 1” could apply to all other methods. That’s not an argument that
> there HAVE been misissued certs. We have been using the method for many
> years at multiple companies for many major enterprises (who would
> certainly be targets for phishing), and no one has ever reported a single
> case of misissuance. I think that’s pretty conclusive versus a “who knows”
> Your second statement – that Symantec issued lots of certificates using
> Method 1 that DigiCert would never have issued – seems to imply you have
> found misissuance by Symantec. If so, you should probably file an Incident
> Report on the Mozilla list and revoke the certs in question. If you don’t
> do that, we have to assume the certs were not misissued.
This is the fundamental disagreement, and is the same as the discussion
regarding "Any Other Method".
A CA that views "misissuance" solely as "Violated the BRs" is a CA that
fails to understand how security works, and puts the ecosystem at risk.
A CA that views "misissuance" as "Does not provide the level of assurance
that the BRs, in ideal conditions, is meant to assure" is a CA that is
proactively taking steps to ensure Web security.
This highlights the apparent disconnect between these two statements.
DigiCert has highlighted multiple certificates they believe that fully
comply with the language, as written, but fail to meet the understanding or
objectives of the Web PKI (at best), and may not have been authorized (at
worst). You've repeatedly taken the position that "Compliance is proof that
it's not misissuance", while multiple members have attempted, over the
years, to highlight that compliance, without understanding or meeting the
objectives of said compliance, is insufficient.
Entrust appears to be taking the position that because they fully complied
with the BRs, there is no harm done, which is to grossly misunderstand the
BRs and security. It also misunderstands that what a CA, such as Entrust,
claims to practice (and how they may claim to mitigate the risks, although
no mitigations for the many identified risks have been offered), is
different from what the BRs permit, and it is the latter that is far, far
more concerning to the stability and security of the ecosystem.
> If you can’t provide any facts showing misissuance of any cert using
> Method 1, please stop saying that there has been misissuance.
> *From:* Tim Hollebeek [mailto:tim.hollebeek at digicert.com]
> *Sent:* Tuesday, January 30, 2018 9:27 AM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>; Bruce Morton <
> Bruce.Morton at entrustdatacard.com>
> *Subject:* [EXTERNAL]RE: Voting on Ballot 218
> > There have been no cases of misissuance using Method 1 over roughly 20
> You guys have been told repeatedly that you have no evidence this
> statement is true. You need to stop saying it.
> The truth is it is extremely hard to “misissue“ a certificate using method
> 1, precisely because it is so weak. Some of the certificates issued using
> method 1 probably went to people they shouldn’t have gone to. We have no
> idea how many, because the CAs used method 1, which doesn’t validate much!
> Symantec issued lots of certificates in full compliance with method 1 that
> DigiCert would never have issued. Attempting to spin that into a rosy
> picture of 20 years of wonderfulness is a huge stretch.
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public