On 02/05/2017 12:46, Gervase Markham wrote:
On 02/05/17 01:55, Peter Kurrasch wrote:
I was thinking that fraud takes many forms generally speaking and that
the PKI space is no different. Given that Mozilla (and everyone else)
work very hard to preserve the integrity of the global PKI and that the
PKI itself is an important tool to fighting fraud on the Internet, it
seems to me like it would be a missed opportunity if the policy doc made
no mention of fraud.

Some fraud scenarios that come to mind:

- false representation as a requestor
- payment for cert services using a stolen credit card number
- malfeasance on the part of the cert issuer

Clearly, we have rules for vetting (in particular, EV) which try and
avoid such things happening. It's not like we are indifferent. But
stolen CC numbers, for example, are a factor for which each CA has to
put in place whatever measures they feel appropriate, just as any
business does. It's not really our concern.

- requesting and obtaining certs for the furtherance of fraudulent activity

Regarding that last item, I understand there is much controversy over
the prevention and remediation of that behavior but I would hope there
is widespread agreement that it does at least exist.

It exists, in the same way that cars are used for bank robbery getaways,
but the Highway Code doesn't mention bank robberies.


However a highway code may mention the authority of the highway police
to establish roadblocks and stop vehicles in relation to general
criminal issues.  (But it is obviously not against any law for the
police to not establish roadblocks and vehicle searches for every bank
robbery ever committed, just as there is no requirements for CAs to
revoke certificates for every allegedly fraudulent use possible).


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to