[cabfpub] Voting on Ballot 218

Kirk Hall Kirk.Hall at entrustdatacard.com
Tue Jan 30 14:37:55 UTC 2018 

Tim - your argument is "who knows if any certs have been misissued under
Method 1" could apply to all other methods.  That's not an argument that
there HAVE been misissued certs.  We have been using the method for many
years at multiple companies  for many major enterprises (who would certainly
be targets for phishing), and no one has ever reported a single case of
misissuance.  I think that's pretty conclusive versus a "who knows"
argument.

 

Your second statement - that Symantec issued lots of certificates using
Method 1 that DigiCert would never have issued - seems to imply you have
found misissuance by Symantec.  If so, you should probably file an Incident
Report on the Mozilla list and revoke the certs in question.  If you don't
do that, we have to assume the certs were not misissued.

 

If you can't provide any facts showing misissuance of any cert using Method
1, please stop saying that there has been misissuance.

 

From: Tim Hollebeek [mailto:tim.hollebeek at digicert.com] 
Sent: Tuesday, January 30, 2018 9:27 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public
Discussion List <public at cabforum.org>; Bruce Morton
<Bruce.Morton at entrustdatacard.com>
Subject: [EXTERNAL]RE: Voting on Ballot 218

 

> There have been no cases of misissuance using Method 1 over roughly 20
years

 

You guys have been told repeatedly that you have no evidence this statement
is true.  You need to stop saying it.

 

The truth is it is extremely hard to "misissue" a certificate using method
1, precisely because it is so weak.  Some of the certificates issued using
method 1 probably went to people they shouldn't have gone to.  We have no
idea how many, because the CAs used method 1, which doesn't validate much!

 

Symantec issued lots of certificates in full compliance with method 1 that
DigiCert would never have issued.  Attempting to spin that into a rosy
picture of 20 years of wonderfulness is a huge stretch.

 

-Tim

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180130/152a86d7/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5887 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180130/152a86d7/attachment-0003.p7s>

More information about the Public mailing list