On Thu, May 19, 2016 at 9:15 AM, <[email protected]> wrote: > This has been a very surprising discussion to me. If most CAs were asked “Do > you think CAs are supposed to investigate and revoke one of your certificates > that is reported to you for injecting malware on Relying Parties clients?” > their answer would be “Yes, of course – that’s required under the Baseline > Requirements (BRs) and related WebTrust audit requirements.” So I’m very > surprised to see some on this list say CAs have no duties at all to protect > Relying Parties, or that their duties are somehow limited to “identity” issue.
Kirk, I think you misinterpreted the responses, at least if that is the take away you have. Kathleen asked specific questions and I think the responses were to those specific questions. The question "MUST CAs investigate and revoke certificates for websites that are reported to them for injecting malware on Relying Parties clients?" was not one of the questions. As a few example of where the specific questions are important: [KW Question] What does "misused" mean in Section 4.9.1.1? You correctly point out there are 15 different things in 4.9.1.1. This is specifically asking about #4. I would suggest that items #5, #9, #10, and #14 all could cover the "injecting malware" case you propose. [KW Question] If a website is using its SSL certificate to mask injection of malware and evidence of that is presented to the issuing CA, is that sufficient misuse for the CA to be required to revoke the certificate? I think that there should be an option for the website to show they had cleaned up their website (e.g. if they had a breach) and keep their certificate rather than requiring revocation. [KW Question] Does a website who is known to an issuing CA to inject malware count as high risk? The BRs only reference High Risk in the section called "Performing Identification and Authentication Functions" and say "The CA SHALL develop, maintain, and implement documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate’s approval, as reasonably necessary to ensure that such requests are properly verified under these Requirements." This explicitly attaches High Risk to verification of subject identity and domain control validation. I don't think the concept of whether a CA chooses to issue a certificate should be commingled with the identity validation -- I think it is clear that a site serving malware might pass all identification and authentication steps. [KW Question] Are CAs required to maintain a list/database to prevent issuance of SSL certificates for websites that are known to them to inject malware? This is clearly about the CA maintaining a list/database. As you point out there are external databases that are frequently used by CAs to determine if they want to issue a certificate, so I don't see value in requiring the CA to maintain another database themselves. Overall you bring up many good points, but I think most of the responses were trying to directly address the questions asked. Given they are about interpretations of specific audit criteria, it is important that the responses are correctly scoped. If this had been about the question you asked, the more generic one about how to handle malware-distributing sites, that would have been different. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
