On Monday, May 16, 2016 at 9:20:56 AM UTC-7, Kathleen Wilson wrote: > I am wondering if the BRs need to be updated to: > + Define what is meant by "Certificate misuse, or other types of fraud". > (e.g. being used for a purpose outside of that contained in the cert, or > applicant provided false information.) > + Add text similar to what is in the EV Guidelines stating that TLS/SSL > certificates focus only on the ownership of the domain name(s) included in > the certificate, and not on the behavior of the website. Note that the BRs > already have section 9.6.1 about certificate warranties. >
Would someone please volunteer to take this up with the CA/Browser Forum? I also see a couple places in Mozilla's CA Certificate Policy where the words 'fraudulent' and 'misused' appear without having been defined... https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ "4. We reserve the right to not include a particular CA certificate in our software products. This includes (but is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) would cause undue risks to users’ security, for example, with CAs that - knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates; or - knowingly issue certificates that appear to be intended for fraudulent use." What is meant by "fraudulent use"? Is the second bullet point essentially a restatement of the first bullet point? Should the second bullet point be deleted? https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ "2. CAs must revoke Certificates that they have issued upon the occurrence of any of the following events: ... the CA obtains reasonable evidence that the subscriber’s private key (corresponding to the public key in the certificate) has been compromised or is suspected of compromise (e.g. Debian weak keys), or that the certificate has otherwise been misused;" Proposal: Change "or that the certificate has otherwise been misused;" to "or that the certificate has been used for a purpose outside of that indicated in the certificate or in the CA's subscriber agreement;" Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
