[cabfpub] Continuing the discussion on CAA

[Kirk Hall]

Thanks Ryan – that is helpful.

Can you tell us who ordered the two certificates you listed?  By an employee, or by a fraudster?

In what way was the googleusercontent.com cert “not authorized”?

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Monday, October 24, 2016 1:58 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>; public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA



On Mon, Oct 24, 2016 at 1:50 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:
Ryan, your response is cryptic and confusing.  I think we are wasting time.

I literally and specifically gave you multiple examples - both of where CAA *could have* prevented unauthorized issuance to third parties and where CAA *has* prevented unauthorized issuace to third parties, with specific domain names and CAs.

I cannot help you if you are unable to participate in a technical discussion, but it's very clear that the bar is not "convince you", but "explain to you" - and the latter is something that's only possible if you're honestly interested in learning, which, at this point, I can only conclude is yet another attempt to avoid productive discussions.

Can you please avoid quoting other stuff (not sure what it proves or how it helps)

It shows me attempting to honestly engage in your request that I "restate whatever evidence you have"

and just lay out on the Public list your examples in simple English of cases where CAA would have prevented misissuance of a certificate to a fraudster not associated with the organization that owns or controls the domain requested?  I don’t believe this has explicitly been discussed on the Public list before.

And yet again, you're disrespectfully changing the conversation when it's been pointed out you're mistaken.

In this case, after providing you the examples you specifically claimed were absent, and reminding you of specific conversations you were part of in which they were answered, you've now suggested that they're insufficient because they weren't discussed on the public list. As the Chair, this does not bode well at all for the future of the Forum that you would engage in such tactics so brazenly.

I will attempt to repeat for you:
googleusercontent.com<http://googleusercontent.com>
- Certs were not authorized, but conformed to 3.2.2.4. They were issued.
- We added CAA
- Certs are prevented now

amazonaws.com<http://amazonaws.com>
- Certs were not authorized, but conformed to 3.2.2.4. They were issued.
- Amazon has not added CAA
- Unauthorized certs are still possible

Microsoft Azure
- Microsoft expressed repeatedly concerns with 3.2.2.4 about certs that were not authorized being issued.

I'm not sure how much simpler I can make it for you. But I'm certainly unwilling, at this point, to continue to engage with you on this topic, considering how dismissive you've been throughout the 2.5 years that we've been discussing this. Perhaps it would be better if someone more technically capable engaged on your behalf, so we can at least have productive discussions about where to draw the line between technical and policy solutions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161024/1686e208/attachment-0003.html>