[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Gervase Markham gerv at mozilla.org
Thu Apr 27 16:35:54 UTC 2017


On 26/04/17 23:05, Kirk Hall wrote:
> Gerv, I’m late to the discussion on this.  By can you start at the
> beginning, and explain why you believe DTPs should not be permitted to
> perform domain validation under any circumstances?

We did have this discussion at the face-to-face, and I'm fairly sure you
were present, as it was with the whole room. It's somewhat frustrating
that this is not yet reflected in the minutes. But perhaps you can rack
your memory? :-)

> Clearly the work of all DTPs should be audited, and the DTP part of the
> audit should roll up somehow into the issuing CA’s audit.  I know that
> can be complex (and under current rules, may be hard for browsers to
> monitor and feel confident they understand the ENTIRE network of DTPs,
> etc. used by the CA under each root).  But it can be done.

As noted at the time, the audit situation needs fixing, but fixing it is
difficult and will be time-consuming. Domain validation is an important
enough CA function that we feel it should be done in-house in all cases,
and taken out of the audit quagmire with a simple ban. No CA came
forward at the face-to-face to say this would be a problem for them.

Gerv



More information about the Public mailing list