On 02/05/17 01:55, Peter Kurrasch wrote:
> I was thinking that fraud takes many forms generally speaking and that
> the PKI space is no different. Given that Mozilla (and everyone else)
> work very hard to preserve the integrity of the global PKI and that the
> PKI itself is an important tool to fighting fraud on the Internet, it
> seems to me like it would be a missed opportunity if the policy doc made
> no mention of fraud.
> Some fraud scenarios that come to mind:
> - false representation as a requestor
> - payment for cert services using a stolen credit card number
> - malfeasance on the part of the cert issuer

Clearly, we have rules for vetting (in particular, EV) which try and
avoid such things happening. It's not like we are indifferent. But
stolen CC numbers, for example, are a factor for which each CA has to
put in place whatever measures they feel appropriate, just as any
business does. It's not really our concern.

> - requesting and obtaining certs for the furtherance of fraudulent activity
> Regarding that last item, I understand there is much controversy over
> the prevention and remediation of that behavior but I would hope there
> is widespread agreement that it does at least exist.

It exists, in the same way that cars are used for bank robbery getaways,
but the Highway Code doesn't mention bank robberies.

dev-security-policy mailing list

Reply via email to