On 16/05/16 01:13, Kathleen Wilson wrote: > 3) If a website is using its SSL certificate to mask injection of malware and > evidence of that is presented to the issuing CA, is that sufficient misuse > for the CA to be required to revoke the certificate?
Counter-question to many of these: who defines what is malware, and who made them king? > 4) Does a website who is known to an issuing CA to inject malware count as > high risk? Well, the definition of High Risk has a clause which basically says that the CA can define High Risk, so you'd have to ask the CA :-) But I'd say no, because the fact that they do this doesn't make them at greater risk for someone impersonating _them_. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
