On 17/05/16 22:41, Kathleen Wilson wrote: > On Monday, May 16, 2016 at 9:20:56 AM UTC-7, Kathleen Wilson wrote: >> I am wondering if the BRs need to be updated to: >> + Define what is meant by "Certificate misuse, or other types of fraud". >> (e.g. being used for a purpose outside of that contained in the cert, or >> applicant provided false information.) >> + Add text similar to what is in the EV Guidelines stating that TLS/SSL >> certificates focus only on the ownership of the domain name(s) included in >> the certificate, and not on the behavior of the website. Note that the BRs >> already have section 9.6.1 about certificate warranties. > > Would someone please volunteer to take this up with the CA/Browser Forum?
To be clear: you would like the CA/Browser Forum to define more explicitly what is meant by "Certificate misuse, or other types of fraud" in the definition of "Certificate Problem Report"? And your initial proposal for a definition is "being used for a purpose outside of that contained in the cert, or applicant provided false information"? If we can be clear by the end of the week what we are asking, I can bring this up in the CAB Forum face-to-face meeting next week. > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ > "4. We reserve the right to not include a particular CA certificate in our > software products. This includes (but is not limited to) cases where we > believe that including a CA certificate (or setting its "trust bits" in a > particular way) would cause undue risks to users’ security, for example, with > CAs that > - knowingly issue certificates without the knowledge of the entities whose > information is referenced in the certificates; or > - knowingly issue certificates that appear to be intended for fraudulent use." > > What is meant by "fraudulent use"? I think the bullet as a whole could mean that we reserve the right to not include CAs who happily issue certs to "www.paypalpayments.com" to just anyone without any checks or High Risk string list or anything. Such a cert, unless issued to Paypal, Inc., is clearly to be used for fraud, IMO, and a CA is negligent in issuing it given that it's not hard to flag for manual review any cert containing the names of major banks and payment companies. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
