在2017年05月03日 10:15,Jakob Bohm via dev-security-policy 写道:
On 02/05/2017 12:46, Gervase Markham wrote:
> On 02/05/17 01:55, Peter Kurrasch wrote:
>> I was thinking that fraud takes many forms generally speaking and that
>> the PKI space is no different. Given that Mozilla (and everyone else)
>> work very hard to preserve the integrity of the global PKI and that the
>> PKI itself is an important tool to fighting fraud on the Internet, it
>> seems to me like it would be a missed opportunity if the policy doc made
>> no mention of fraud.
>> Some fraud scenarios that come to mind:
>> - false representation as a requestor
>> - payment for cert services using a stolen credit card number
>> - malfeasance on the part of the cert issuer
> Clearly, we have rules for vetting (in particular, EV) which try and
> avoid such things happening. It's not like we are indifferent. But
> stolen CC numbers, for example, are a factor for which each CA has to
> put in place whatever measures they feel appropriate, just as any
> business does. It's not really our concern.
>> - requesting and obtaining certs for the furtherance of fraudulent activity
>> Regarding that last item, I understand there is much controversy over
>> the prevention and remediation of that behavior but I would hope there
>> is widespread agreement that it does at least exist.
> It exists, in the same way that cars are used for bank robbery getaways,
> but the Highway Code doesn't mention bank robberies.
> Gerv

However a highway code may mention the authority of the highway police
to establish roadblocks and stop vehicles in relation to general
criminal issues.  (But it is obviously not against any law for the
police to not establish roadblocks and vehicle searches for every bank
robbery ever committed, just as there is no requirements for CAs to
revoke certificates for every allegedly fraudulent use possible).


Jakob Bohm, CIO, Partner, WiseMo A/S.
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to