[cabfpub] Voting on Ballot 218

Gervase Markham gerv at mozilla.org
Tue Jan 30 14:46:40 UTC 2018


Hi Kirk,

On 30/01/18 14:37, Kirk Hall via Public wrote:
> Tim – your argument is “who knows if any certs have been misissued under
> Method 1” could apply to all other methods.  That’s not an argument that
> there HAVE been misissued certs.  We have been using the method for many
> years at multiple companies  for many major enterprises (who would
> certainly be targets for phishing),

Please can you stop conflating misissuance and phishing, as if the
latter is the only possible route to the former?

> Your second statement – that Symantec issued lots of certificates using
> Method 1 that DigiCert would never have issued – seems to imply you have
> found misissuance by Symantec. 

No, it doesn't. It means that the level of assurance that it went to the
right person is not high enough for DigiCert, but they have no evidence
it went to the wrong person. It may have done; they don't know.

Gerv



More information about the Public mailing list