On 16/05/16 17:20, Kathleen Wilson wrote:
This discussion should consider what's best for Mozilla's users. Perhaps
that aligns precisely with the minimum requirements in the EVGs, or perhaps
it doesn't. Mozilla are free to specify additional requirements if they
feel the need to do so, just as Microsoft did recently...
Maybe I misunderstood the original email from Kathleen, but my
impression was that she was looking purely for clarification of what
is already required by the CA/Browser Forum Baseline Requirements. As
you point out Mozilla can adopt additional requirements as part of the
Mozilla CA Certificate Policy, but I think that is a different
discussion. In order to have that discussion, one needs to understand
what is already required by the Policy, and that is what I was
addressing.
My original email was regarding the current state of the BRs, and I would like
to clarify what current requirements are.
ISTM that the current state of the BRs is that "misuse" is inadequately
defined.
Some groups of people will tell you that CAs MUST revoke certs for sites
that are deemed to have served malware, whilst other groups of people
will tell you that this absolutely isn't a requirement.
However, I think it is reasonable for this discussion to progress into whether
or not the BRs and/or Mozilla policy need to be updated to address the
questions.
I think the discussion must progress in that manner, or else we'll be
arguing this point forever. Good luck trying to achieve consensus though!
I am wondering if the BRs need to be updated to:
+ Define what is meant by "Certificate misuse, or other types of fraud". (e.g.
being used for a purpose outside of that contained in the cert, or applicant provided
false information.)
+ Add text similar to what is in the EV Guidelines stating that TLS/SSL
certificates focus only on the ownership of the domain name(s) included in the
certificate, and not on the behavior of the website. Note that the BRs already
have section 9.6.1 about certificate warranties.
In regards to Mozilla policy, maybe we should consider adding text about
Mozilla's expectations for CAs when they find out that a TLS/SSL certificate
that they issued is being used to do bad things. I've added a link to this
discussion to
https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Proposed_Changes_Currently_in_Discussion
Thanks,
Kathleen
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
