Section 7.1 of the policy says that we reserve the right not to include certificates from a CA which has:
"knowingly issue certificates that appear to be intended for fraudulent use." There are a few problems with this. * It's only in the inclusion section. * It's really subjective - how could you prove a CA "knowingly" did this? How can a CA tell a certificate "appears to be intended for fraudulent use"? As bad actors don't set the "evil bit", the only way I can think of that a CA might do this check is by looking at the domain name and checking to see if it's anything like a "famous" brand. But Mozilla has taken the position that we don't believe it's the responsibility of CAs to police the domain name space. We already have the power to chuck out misbehaving CAs, or not include ones which are dodgy; we don't need this clause for that either. So I propose removing it, and reformatting the section accordingly. This is: https://github.com/mozilla/pkipolicy/issues/2 ------- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
