On Wednesday, May 18, 2016 at 6:22:39 PM UTC+3, Peter Bowen wrote: > On Wed, May 18, 2016 at 7:16 AM, Gervase Markham <g...@mozilla.org> wrote: > > I think the bullet as a whole could mean that we reserve the right to > > not include CAs who happily issue certs to "www.paypalpayments.com" to > > just anyone without any checks or High Risk string list or anything. > > Such a cert, unless issued to Paypal, Inc., is clearly to be used for > > fraud, IMO, and a CA is negligent in issuing it given that it's not hard > > to flag for manual review any cert containing the names of major banks > > and payment companies. > > Playing Devil's Advocate for a moment, if paypalpayments.com is a > valid registered domain and is owned by A Better World LLC (a Delaware > Corporation), why should they not be able to get a certificate for > their domain? > > How far do you take it? According to > http://brandirectory.com/league_tables/table/banking-500-2014, top > bank brands include "TD", "UBS", and "ING", should CAs block on > "outdoor.sh", "nightclubs.io", and "exceeding.ly"? > > Why should Hong Kong and Shanghai Banking Corporation be considered to > have claim to HSBC than the Humane Society of Broward County, the > House Small Business Committee, or Hobe Sound Bible College? > > Given that there is already the ICANN UDRP, shouldn't that be the > venue to decide who is authorized to have what domain names? Should > CAs be responsible for making calls on who is authorized for a domain > name? > > Thanks, > Peter
I will also add a classical example that used to exist there: gmail.de _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy