I was thinking that fraud takes many forms generally speaking and that the PKI space is no different. Given that Mozilla (and everyone else) work very hard to preserve the integrity of the global PKI and that the PKI itself is an important tool to fighting fraud on the Internet, it seems to me like it would be a missed opportunity if the policy doc made no mention of fraud.

Some fraud scenarios that come to mind:

- false representation as a requestor
- payment for cert services using a stolen credit card number
- malfeasance on the part of the cert issuer
- requesting and obtaining certs for the furtherance of fraudulent activity

Regarding that last item, I understand there is much controversy over the prevention and remediation of that behavior but I would hope there is widespread agreement that it does at least exist.

From: Gervase Markham
Sent: Monday, May 1, 2017 10:49 AM
To: Peter Kurrasch; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

On 01/05/17 16:28, Peter Kurrasch wrote:
> Gerv, does this leave the Mozilla policy with no position statement regarding fraud in the global PKI?

What do you mean by "in"?

dev-security-policy mailing list

Reply via email to