Hi Richard, Peter's point is that there is no standard definition of a "high-risk" request." It is a term defined in Section 1.6.1:
"High Risk Certificate Request: A Request that the CA flags for additional scrutiny by reference to internal criteria and databases maintained by the CA, which may include names at higher risk for phishing or other fraudulent usage, names contained in previously rejected certificate requests or revoked Certificates, names listed on the Miller Smiles phishing list or the Google Safe Browsing list, or names that the CA identifies using its own risk‐mitigation criteria." Because of the ambiguity of the definition, CAs are essentially given full discretion over what THEY think high risk is. You are allowed to say domains containing the string "apple" are high risk, and treat them as such. However, other CAs are allowed to decide that isn't high risk. On Wed, Feb 22, 2017 at 10:55 PM, Richard Wang via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I don't agree this. > If "apple", "google", "Microsoft" is not a high risk domain, then I don’t > know which domain is high risk domain, maybe only "github". > > Best Regards, > > Richard > > -----Original Message----- > From: Peter Bowen [mailto:pzbo...@gmail.com] > Sent: Thursday, February 23, 2017 11:53 AM > To: Richard Wang <rich...@wosign.com> > Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Tony > Zhaocheng Tan <t...@tonytan.io>; Gervase Markham <g...@mozilla.org> > Subject: Re: Let's Encrypt appears to issue a certificate for a domain that > doesn't exist > > On Wed, Feb 22, 2017 at 7:35 PM, Richard Wang via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > As I understand, the BR 4.2.1 required this: > > > > “The CA SHALL develop, maintain, and implement documented procedures that > > identify and require additional verification activity for High Risk > > Certificate Requests prior to the Certificate’s approval, as reasonably > > necessary to ensure that such requests are properly verified under these > > Requirements.” > > > > Please clarify this request, thanks. > > Richard, > > That sentence does not say that domain names including "apple", "google", > or > any other string are High Risk Certificate Requests > (HRCR). I could define HRCR as being those that contain domain names > that contain mixed script characters as defined in UTS #39 section 5.1. > "apple-id-2.com" is not mixed script so it is not a HRCR based on this > definition. > > Thanks, > Peter > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Vincent Lynch _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
