All, I have been receiving questions about the following items in the CA/Browser Forum Baseline Requirements, and I would appreciate your input on what the answers are or should be.
== In the Baseline Requirements == Definitions: Certificate Problem Report: Complaint of suspected Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to Certificates. High Risk Certificate Request: A Request that the CA flags for additional scrutiny by reference to internal criteria and databases maintained by the CA, which may include names at higher risk for phishing or other fraudulent usage, names contained in previously rejected certificate requests or revoked Certificates, names listed on the Miller Smiles phishing list or the Google Safe Browsing list, or names that the CA identifies using its own risk‐mitigation criteria. Section 4.2.1: The CA SHALL develop, maintain, and implement documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate’s approval, as reasonably necessary to ensure that such requests are properly verified under these Requirements. Section 4.9.1.1: The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: … 4. The CA obtains evidence that the Certificate was misused; Section 4.9.2: Additionally, Subscribers, Relying Parties, Application Software Suppliers, and other third parties may submit Certificate Problem Reports informing the issuing CA of reasonable cause to revoke the certificate. Section 4.9.5: The CA SHALL begin investigation of a Certificate Problem Report within twenty-four hours of receipt, and decide whether revocation or other appropriate action is warranted based on at least the following criteria: 1. The nature of the alleged problem; 2. The number of Certificate Problem Reports received about a particular Certificate or Subscriber; 3. The entity making the complaint (for example, a complaint from a law enforcement official that a Web site is engaged in illegal activities should carry more weight than a complaint from a consumer alleging that she didn’t receive the goods she ordered); and 4. Relevant legislation. Section 4.10.2: The CA SHALL maintain a continuous 24x7 ability to respond internally to a high-priority Certificate Problem Report, and where appropriate, forward such a complaint to law enforcement authorities, and/or revoke a Certificate that is the subject of such a complaint. == Questions == 1) What does "Certificate misuse, or other types of fraud" in the definition of Certificate Problem Report actually mean? 2) What does "misused" mean in Section 4.9.1.1? 3) If a website is using its SSL certificate to mask injection of malware and evidence of that is presented to the issuing CA, is that sufficient misuse for the CA to be required to revoke the certificate? 4) Does a website who is known to an issuing CA to inject malware count as high risk? 5) Are CAs required to maintain a list/database to prevent issuance of SSL certificates for websites that are known to them to inject malware? == As always, I will appreciate your thoughtful and constructive input on these questions. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
