On 05/16/16 12:22, Richard Z wrote:
On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote:
Some CAs may choose to not issue to sites known to inject malware, but
this outside the scope of the SSL requirements. The EV Guidelines it
very clear that the reputation and actions of the Subject are not in
scope:
knowingly issuing/tolerating certificates for sites known to inject
malware is
* contrary to user expectaions
* possible case of criminal felony and a liablility issue
So irrespective of what EV Guidelines say there may be other common
sense reasons to require revocation of such certificates and I would
not want Mozilla to underbid the already minimalistic security
promise of TLS.
>
Having an identity established by EV is nice but in most cases of
malware attacks the user has no chance to examine this identity if
the attack comes in an injected iframe.
Do you think revoking certificate from malware-injecting sites would
have or has had meaningful effects on the security received by users?
I'd note that, even with OCSP hard-fail (not default), revocation takes
at least the duration of OCSP response validity to reliably take effect,
often 1 week.
Even if it did not, CAs seem to be in a very poor position to evaluate
whether sites are serving malware (compared to, say, browser vendors who
run programs like the Google Safe Browsing list) or to have nuanced
responses to tricky cases, like shared web hosts or advertising networks
who have some customers which are serving malware.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
