Tim - your argument is "who knows if any certs have been misissued under Method 1" could apply to all other methods. That's not an argument that there HAVE been misissued certs. We have been using the method for many years at multiple companies for many major enterprises (who would certainly be targets for phishing), and no one has ever reported a single case of misissuance. I think that's pretty conclusive versus a "who knows" argument.
Your second statement - that Symantec issued lots of certificates using Method 1 that DigiCert would never have issued - seems to imply you have found misissuance by Symantec. If so, you should probably file an Incident Report on the Mozilla list and revoke the certs in question. If you don't do that, we have to assume the certs were not misissued. If you can't provide any facts showing misissuance of any cert using Method 1, please stop saying that there has been misissuance. From: Tim Hollebeek [mailto:[email protected]] Sent: Tuesday, January 30, 2018 9:27 AM To: Kirk Hall <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]>; Bruce Morton <[email protected]> Subject: [EXTERNAL]RE: Voting on Ballot 218 > There have been no cases of misissuance using Method 1 over roughly 20 years You guys have been told repeatedly that you have no evidence this statement is true. You need to stop saying it. The truth is it is extremely hard to "misissue" a certificate using method 1, precisely because it is so weak. Some of the certificates issued using method 1 probably went to people they shouldn't have gone to. We have no idea how many, because the CAs used method 1, which doesn't validate much! Symantec issued lots of certificates in full compliance with method 1 that DigiCert would never have issued. Attempting to spin that into a rosy picture of 20 years of wonderfulness is a huge stretch. -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
