On Fri, Sep 1, 2017 at 4:01 PM, Rich Smith <richard.sm...@comodo.com
<mailto:richard.sm...@comodo.com>> wrote:
__ __
__ __
*From:* Ryan Sleevi [mailto:sle...@google.com
<mailto:sle...@google.com>]
*Sent:* Friday, September 1, 2017 1:32 PM
Thanks Rich for sharing the added details about when this case comes
up.____
__ __
Is it frequent enough to require the 'fail open' case? Do we believe
that security is improved by that - that is, it seems equally likely
that if it was 'fail closed" (e.g. deny), then such banks desiring
EV certificates can/would lobby RBI to ensure such information is
provided, and that seems a positive outcome.____
*/[RWS] I appreciate where you’re coming from with this suggestion,
but realistically, it’s not likely to happen and I’d rather we take
steps to come up with a reasonable solution to a not entirely
uncommon problem if we can. If we absolutely can’t come to
agreement on a reasonable solution, I’m fine at that point telling
these customers, “Sorry you simply don’t qualify,” but at the end of
the day I’d rather see us find a way to issue EVs to legit
organizations. I don’t see the point to shutting out a legit
segment of the market because we can’t be bothered to try to find a
reasonable way to include them./*
I'm not sure it's fair to say "we can't be bothered to try and find a
reasonable way" - it could very well be that there simply isn't a
reasonable way, without compromising on our principles, to accommodate
these use cases, in which case, organizations that are left out can
ensure that they meet the necessary minimum bar.
That is, I don't think it would be argued that we can't find a
reasonable way to allow EV certificates for "just" domain holders -
rather, from the perspective of CAs and their goal of EV, it's simply
incompatible to issue to an entity without doing the due-diligence to
ensure they meet the necessary bar (e.g. an incorporated entity).
Alternatively, we can look at the discussion of IV vs EV and see the
same bar - the conceptual model simply doesn't align, and it's not about
shutting out segments of markets.
You mentioned "not entirely uncommon", but it's the first time it's been
raised to the Forum that I'm aware of. I'm tremendously appreciative of
you sharing the case you did, because it was a useful exercise in
reading and researching the nature of this situation and the opportunity
to better understand the challenges CAs face. Given that the Indian
banking community is a rather small set, was your "not entirely
uncommon" meant to include other cases? Could you share further details?
Or did you really just mean that there's a number of banks in India that
fall under this scenario?
____
__ __
Understandably, I'd much rather prefer a whitelist to address such
situations rather than a blanket exception.____
*/[RWS] I’m OK with that and is what I was trying to get at with my
proposed solution. Do you have any specific feedback regarding
that? I’ll flesh it out more and turn it into a ballot if we can
some to basic terms regarding what we generally want to see happen
in an exception case./*
Given the additional bits you shared above, I'm hoping you can shed more
light into the "not entirely uncommon" scenarios and other cases you can
think of, which will help better explore what might be a reasonable
compromise, should one exist.
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public
