On 16/05/16 01:43, Peter Bowen wrote:
<snip>
Some CAs may choose to not issue to sites known to inject malware, but
this outside the scope of the SSL requirements. The EV Guidelines it
very clear that the reputation and actions of the Subject are not in
scope:
Peter, I'd just like to point out that the EVGs also say (emphasis mine):
"The Guidelines describe an integrated set of technologies, protocols,
identity proofing, lifecycle management, and auditing practices
specifying the *minimum requirements* that must be met in order to issue
and maintain Extended Validation Certificates (“EV Certificates”)
concerning an organization."
This discussion should consider what's best for Mozilla's users.
Perhaps that aligns precisely with the minimum requirements in the EVGs,
or perhaps it doesn't. Mozilla are free to specify additional
requirements if they feel the need to do so, just as Microsoft did
recently...
https://aka.ms/rootcert
"If Microsoft, it its sole discretion, identifies a DV Server
Authentication certificate is being used to promote malware or unwanted
software, Microsoft will contact the responsible CA and request that it
revoke the certificate. The CA must either revoke the certificate within
a commercially-reasonable timeframe, or it must request an exception
from Microsoft within two (2) business days of receiving Microsoft’s
request. Microsoft may either grant or deny the exception at its sole
discretion. In the event that Microsoft does not grant the exception,
the CA must revoke the certificate within a commercially-reasonable
timeframe not to exceed two (2) business days."
[Please note: In this post I have not actually offered any opinions,
either my own or those of my employer, on the questions that Kathleen
asked at the beginning of this thread]
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
