There is no definition or requirement for what a high risk domain is. That's the point/problem.
WoSign may determine "apple", "google", "microsoft", and "github" as High Risk. Amazon may determine certificates issued on the first of the month are more likely to be High Risk (because it may be that the 1st of the month is the most lucrative time for credit card scammers to use their ill-gotten gains to produce dangerous domains) On Wed, Feb 22, 2017 at 7:55 PM, Richard Wang <rich...@wosign.com> wrote: > I don't agree this. > If "apple", "google", "Microsoft" is not a high risk domain, then I don’t > know which domain is high risk domain, maybe only "github". > > Best Regards, > > Richard > > -----Original Message----- > From: Peter Bowen [mailto:pzbo...@gmail.com] > Sent: Thursday, February 23, 2017 11:53 AM > To: Richard Wang <rich...@wosign.com> > Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Tony > Zhaocheng Tan <t...@tonytan.io>; Gervase Markham <g...@mozilla.org> > Subject: Re: Let's Encrypt appears to issue a certificate for a domain that > doesn't exist > > On Wed, Feb 22, 2017 at 7:35 PM, Richard Wang via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > As I understand, the BR 4.2.1 required this: > > > > “The CA SHALL develop, maintain, and implement documented procedures that > > identify and require additional verification activity for High Risk > > Certificate Requests prior to the Certificate’s approval, as reasonably > > necessary to ensure that such requests are properly verified under these > > Requirements.” > > > > Please clarify this request, thanks. > > Richard, > > That sentence does not say that domain names including "apple", "google", > or > any other string are High Risk Certificate Requests > (HRCR). I could define HRCR as being those that contain domain names > that contain mixed script characters as defined in UTS #39 section 5.1. > "apple-id-2.com" is not mixed script so it is not a HRCR based on this > definition. > > Thanks, > Peter > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
