[cabfpub] Continuing the discussion on CAA

Ryan Sleevi sleevi at google.com
Mon Oct 24 20:58:13 UTC 2016

On Mon, Oct 24, 2016 at 1:50 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>

> Ryan, your response is cryptic and confusing.  I think we are wasting time.

I literally and specifically gave you multiple examples - both of where CAA
*could have* prevented unauthorized issuance to third parties and where CAA
*has* prevented unauthorized issuace to third parties, with specific domain
names and CAs.

I cannot help you if you are unable to participate in a technical
discussion, but it's very clear that the bar is not "convince you", but
"explain to you" - and the latter is something that's only possible if
you're honestly interested in learning, which, at this point, I can only
conclude is yet another attempt to avoid productive discussions.

> Can you please avoid quoting other stuff (not sure what it proves or how
> it helps)

It shows me attempting to honestly engage in your request that I "restate
whatever evidence you have"

> and just lay out on the Public list your examples in simple English of
> cases where CAA would have prevented misissuance of a certificate to a
> fraudster not associated with the organization that owns or controls the
> domain requested?  I don’t believe this has explicitly been discussed on
> the Public list before.

And yet again, you're disrespectfully changing the conversation when it's
been pointed out you're mistaken.

In this case, after providing you the examples you specifically claimed
were absent, and reminding you of specific conversations you were part of
in which they were answered, you've now suggested that they're insufficient
because they weren't discussed on the public list. As the Chair, this does
not bode well at all for the future of the Forum that you would engage in
such tactics so brazenly.

I will attempt to repeat for you:
- Certs were not authorized, but conformed to They were issued.
- We added CAA
- Certs are prevented now

- Certs were not authorized, but conformed to They were issued.
- Amazon has not added CAA
- Unauthorized certs are still possible

Microsoft Azure
- Microsoft expressed repeatedly concerns with about certs that
were not authorized being issued.

I'm not sure how much simpler I can make it for you. But I'm certainly
unwilling, at this point, to continue to engage with you on this topic,
considering how dismissive you've been throughout the 2.5 years that we've
been discussing this. Perhaps it would be better if someone more
technically capable engaged on your behalf, so we can at least have
productive discussions about where to draw the line between technical and
policy solutions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161024/b2e4555c/attachment-0003.html>

More information about the Public mailing list