On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote: > Some CAs may choose to not issue to sites known to inject malware, but > this outside the scope of the SSL requirements. The EV Guidelines it > very clear that the reputation and actions of the Subject are not in > scope:
knowingly issuing/tolerating certificates for sites known to inject malware is * contrary to user expectaions * possible case of criminal felony and a liablility issue So irrespective of what EV Guidelines say there may be other common sense reasons to require revocation of such certificates and I would not want Mozilla to underbid the already minimalistic security promise of TLS. Having an identity established by EV is nice but in most cases of malware attacks the user has no chance to examine this identity if the attack comes in an injected iframe. Richard -- Name and OpenPGP keys available from pgp key servers _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy