Looking at the threat from a defense-in-depth/orthogonal perspective, doesn't it make sense that everyone -- browsers, ICANN, CAs, etc. -- does something to combat malicious websites for the public?
-----Original Message----- From: dev-security-policy [mailto:[email protected]] On Behalf Of Peter Bowen Sent: Wednesday, May 18, 2016 9:23 AM To: Gervase Markham <[email protected]> Cc: [email protected]; Kathleen Wilson <[email protected]> Subject: Re: SSL Certs for Malicious Websites On Wed, May 18, 2016 at 7:16 AM, Gervase Markham <[email protected]> wrote: > I think the bullet as a whole could mean that we reserve the right to > not include CAs who happily issue certs to "www.paypalpayments.com" to > just anyone without any checks or High Risk string list or anything. > Such a cert, unless issued to Paypal, Inc., is clearly to be used for > fraud, IMO, and a CA is negligent in issuing it given that it's not > hard to flag for manual review any cert containing the names of major > banks and payment companies. Playing Devil's Advocate for a moment, if paypalpayments.com is a valid registered domain and is owned by A Better World LLC (a Delaware Corporation), why should they not be able to get a certificate for their domain? How far do you take it? According to http://brandirectory.com/league_tables/table/banking-500-2014, top bank brands include "TD", "UBS", and "ING", should CAs block on "outdoor.sh", "nightclubs.io", and "exceeding.ly"? Why should Hong Kong and Shanghai Banking Corporation be considered to have claim to HSBC than the Humane Society of Broward County, the House Small Business Committee, or Hobe Sound Bible College? Given that there is already the ICANN UDRP, shouldn't that be the venue to decide who is authorized to have what domain names? Should CAs be responsible for making calls on who is authorized for a domain name? Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
