On Tue, May 17, 2016 at 01:04:28AM +0000, Charles Reiss wrote: > On 05/16/16 12:22, Richard Z wrote: > >On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote: > > > >>Some CAs may choose to not issue to sites known to inject malware, but > >>this outside the scope of the SSL requirements. The EV Guidelines it > >>very clear that the reputation and actions of the Subject are not in > >>scope: > > > >knowingly issuing/tolerating certificates for sites known to inject > >malware is > >* contrary to user expectaions > >* possible case of criminal felony and a liablility issue > > > >So irrespective of what EV Guidelines say there may be other common > >sense reasons to require revocation of such certificates and I would > >not want Mozilla to underbid the already minimalistic security > >promise of TLS. > > > >Having an identity established by EV is nice but in most cases of > >malware attacks the user has no chance to examine this identity if > >the attack comes in an injected iframe. > > Do you think revoking certificate from malware-injecting sites would have or > has had meaningful effects on the security received by users? > > I'd note that, even with OCSP hard-fail (not default), revocation takes at > least the duration of OCSP response validity to reliably take effect, often > 1 week. > > Even if it did not, CAs seem to be in a very poor position to evaluate > whether sites are serving malware (compared to, say, browser vendors who run > programs like the Google Safe Browsing list) or to have nuanced responses to > tricky cases, like shared web hosts or advertising networks who have some > customers which are serving malware.
the point is if mozilla would say "we don't care the least if certificates are used for illegal or malicious purposes as long as the identity is established" it might actually encourage some CAs to search for new business models. There are crime friendly providers already and having crime friendly CAs is something that users would definitely notice. Richard -- Name and OpenPGP keys available from pgp key servers _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
