On Tuesday 17 May 2016 10:36:16 Peter Gutmann wrote: > Hubert Kario <hka...@redhat.com> writes: > >then users expect impossible > > Users expect CAs to be something other than certificate vending > machines. The fact that CAs fail to do this is a problem with browser > PKI and CAs, not with users. > > (There have been numerous cases of security people reporting > CA-certified phishing and malware sites to the CAs that did it. The > general response has been "not our problem, they paid their money and > we gave them a cert". So even if you tell the CA, they're likely not > going to fix it).
problem is, that this is a slippery slope. What's malware for one person is a research subject for another. What's inflammatory or misleading information for one person is parody and joke material to other. What's illegal in one jurisdiction is completely legal and normal or at least socially acceptable behaviour in another. Remember, the web audience spans continents and vastly different cultures. Asking CAs to police such space is asking for trouble. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy