On Wed, May 25, 2016 at 6:50 AM, <tech29...@gmail.com> wrote: > If I understand you correctly, you are saying that CAs should not be doing > any "internet policing" or "content policing" when they receive credible > reports their certs are being used by phishers, malware providers, etc. -- > but that browsers can and should do "internet policing" or "content policing" > when they blacklist sites on such applications as Google Safe Browsing and > Microsoft Smart Screen -- am I stating that correctly? If so, I was not the > one to introduce the topic to this string.
As Eric pointed out, no, you are not understanding correctly. I was merely addressing Kathleen's question about whether all CAs are required to police, not whether some CAs can, if they so decide. I don't believe CAs SHOULD police, but that's irrelevant to the more substantial question - I don't believe CAs MUST police. > Plus -- I don't agree this string is about promoting encryption only. That's OK. It's clear we disagree about the value of privacy, confidentiality, and integrity - which TLS provides. I believe these three are valuable in and of themselves, and we must not sacrifice them in order to also add 'brand protection'. > Kathleen started by asking for interpretation of existing BR language that > requires CAs to revoke and/or non-issue for things like "Certificate misuse, > or other types of fraud, compromise, misuse, or inappropriate conduct related > to Certificates." And that's what I was responding to, but you then dove-tailed into an unrelated discussion about how Microsoft/Google technologies work, which doesn't seem as germane to the question. > Why should CAs delegate to or rely on browsers for this type of user > protection? Because security works best when it's composed. Why should CAs delegate encryption to TLS? Why shouldn't each CA come up with their own encryption technology, and deploy it using browser plugins? Why should CAs rely on DNS? Why shouldn't they come up with their own naming schemes? The answer is that different parties in the ecosystem have different roles, and are best suited to different tasks. You've already heard, several times, the answer to your question - because CAs content policing themselves comes with real risks and harm. While some CAs may, as part of their brand, choose to do content policing, site operators have an easy recourse - simply don't use those CAs. The market is flexible to permit that. Suggesting, however, that ALL CAs must do so, implies that ALL CAs must share your values, and it's clear that such a position can and does cause real harm. > Isn't it better for CAs to remain involved by revoking certs / refusing to > issue certs to known bad sites, like CAs have done for at least the past 8 > years - why change that now? Why can't both CAs and browsers work together > for maximum user protection? This has already been responded to several times by participants on the thread. I don't think it adds value to keep saying it, and it's been said in a variety of ways that I don't think it bears restating. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
