On Wednesday, 18 May 2016 16:22:39 UTC+1, Peter Bowen wrote: > Given that there is already the ICANN UDRP, shouldn't that be the > venue to decide who is authorized to have what domain names? Should > CAs be responsible for making calls on who is authorized for a domain > name?
The UDRP and the registrars only get to see the 2LD, whereas a CA is making an assertion about the entire name certified. I would be a lot more comfortable just saying "No" here if Mozilla had mandated CT logging. With CT logging you can argue that figuring out if hsbc.customerhelp.example is "legitimate" is left as a problem for HSBC via log monitoring (either with their own monitor or more likely a service provider), as they please. However with the current level of voluntary logging you have the same situation as CAA. The most scrupulous CAs log everything, some others selectively opt out for paying customers, and some log nothing whatsoever. A policy change, and in the longer term a commitment to require SCTs would alter that landscape. But until then it's easy to have some sympathy for the idea of "high risk" names as a check for CAs to perform to protect the ecosystem. More sympathy than for the idea of them inspecting a site's contents. Also, FWIW I believe that even though I sometimes insist on expanding it to Hong Kong and Shanghai Banking Corporation that isn't legally correct. HSBC today doesn't stand for anything at all, the name of the globally famous bank is literally just HSBC. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
