[cabfpub] Proposed new ballot on IP Addresses in SANs
Rob Stradling
rob.stradling at comodo.com
Thu Apr 21 13:48:40 UTC 2016
On 21/04/16 14:24, Jody Cloutier wrote:
> Simple - because we have customers who now need the functionality, and
> without this change we cannot give it to them.
Jody,
You said that Microsoft "are not currently planning on back-porting this
change to previous operating systems".
ISTM that Microsoft are free to decide to change their plans!
Then we wouldn't have to weaken the BRs.
> <http://aka.ms/weboutlook>
>
> ------------------------------------------------------------------------
> *From:* Richard Barnes <rbarnes at mozilla.com>
> *Sent:* Thursday, April 21, 2016 6:22:02 AM
> *To:* Jody Cloutier
> *Cc:* Ryan Sleevi; Rick Andrews; public at cabforum.org
> *Subject:* Re: [cabfpub] Proposed new ballot on IP Addresses in SANs
>
>
> On Thu, Apr 21, 2016 at 9:13 AM, Jody Cloutier <jodycl at microsoft.com
> <mailto:jodycl at microsoft.com>> wrote:
>
> Ryan, I'm not sure I understand why Google is so intent on this new
> course of public shaming on this matter and others currently under
> discussion, but if it helps to do the right thing, then fine. The
> fact is that the requirement was not addressed, and we need to
> figure out how to fix the issue for all of our customers. Microsoft
> has addressed this in Windows 10, but we are not currently planning
> on back-porting this change to previous operating systems. As such,
> this change is needed or all of our customers will be affected.
>
>
> Maybe I'm being dense, but I'm still not understanding what's changed
> here. How have these customers not been "affected" already for all
> time? The BRs have *always* prohibited IP addresses in dNSName SANs
> (all the way back to v1), so presumably if everyone were adhering to the
> BRs, people haven't *ever* been able to use pre-Win10 cilents. Why do
> we need to create that capability now?
>
> --Richard
>
>
> ------------------------------------------------------------------------
> *From:* public-bounces at cabforum.org
> <mailto:public-bounces at cabforum.org> <public-bounces at cabforum.org
> <mailto:public-bounces at cabforum.org>> on behalf of Ryan Sleevi
> <sleevi at google.com <mailto:sleevi at google.com>>
> *Sent:* Saturday, April 16, 2016 9:37 AM
> *To:* Rick Andrews
> *Cc:* public at cabforum.org <mailto:public at cabforum.org>
> *Subject:* Re: [cabfpub] Proposed new ballot on IP Addresses in SANs
>
>
> On Sat, Apr 16, 2016 at 9:31 AM, Rick Andrews
> <Rick_Andrews at symantec.com <mailto:Rick_Andrews at symantec.com>> wrote:
>
> I disagree with the tone that CAs are entirely to blame here.
>
>
> Why? I provided you evidence on how you could have issued such
> certificates without violating the BRs.
>
> The fact that you:
> 1) Seemingly did not attempt to discover this yourself
> 2) If you did attempt, were unable to, and did not seek for outside
> input
> 3) When you did receive outside input, ignored it
> 4) Have continued to argue that it's necessary, without providing
> any response in over 8 months show that it isn't
>
> Shows that the CAs doing this ARE entirely to blame.
>
> The BRs are baseline requirements, and browser vendors often say
> that they have the right to impose additional requirements above
> and beyond the BRs. When that happens, though, it sometimes puts
> CAs in a bind.
>
>
> And by a bind, it means you'd like to do something, but can't,
> besides browsers say you shouldn't. That isn't a bind - that's how
> security works. You can't be simultaneously trusted to be the
> bastion of online security while also engaging in insecure
> practices. That isn't how trust works.
>
> This is a case in which the BRs say we can't do something, but
> one browser vendor says we can.
>
>
> I'd love to hear that from Jody, given the evidence.
>
> Ideally, Microsoft would have recognized this back before the
> BRs were adopted, and addressed it in their platform or lobbied
> to rewrite the requirement.
>
>
> "And addressed it in their platform" - but they did, as you yourself
> have said. Windows 10 addressed this.
>
> But that didn't happen. We're trying to rectify the situation now.
>
>
> You're not trying to rectify it. If you were, you would have
> explored 8 months ago what I proposed, and reported back to the
> Forum why it wasn't viable.
>
> And let's be clear here: there's a big difference between "not
> viable" (e.g. it doesn't work) and "not desirable" (e.g. our
> customers or we have to do more work). Given the role that CAs play
> in the online trust ecosystem, the goal is not to enable every
> business desire a CA has, nor to encourage or bless every practice
> that violates standards. It's to make a balanced tradeoff between
> risk, reward, and standards. I have seen no evidence of good-faith
> effort on your part in the past 8 months to strike that balance,
> because if there had been, the line of reasoning for this change
> wouldn't be what you're presently arguing.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list