On 03/05/17 16:45, Peter Kurrasch wrote: > Perhaps a different way to pose the questions here is whether Mozilla > wants to place any expectations on the CA's regarding fraud and the > prevention thereof.
You need to be more specific, because there are lots of different ways a system can have "fraud" and our attitude to different ones might be different. We are not the police. > - When a CA is notified that a stolen credit card was used to purchase > certs, should the CA investigate the subscriber who used it and any > other certs that were purchased (perhaps using a different CC) and take > appropriate action? I'd say this is none of our business, unless the certs are mis-issued. > - Is it reasonable for any subscriber to request more than 100 certs on > a given day? What about 500? 1000? (The point is not to prohibit large > requests but I would imagine there is a level which exceeds what anyone > might consider a legitimate use case.) I suspect some CAs will tell you that they have customers such as cloud providers who require a very large number of certs per day. And this also seems to be entirely outside our interest. > - Is is reasonable for a single CA to issue over 150 certs containing > "paypal" in the domain name? (I am referring to the analysis Vincent > Lynch did back in March.) There are undoubtedly cases where including > "paypal" in the name is or could be legitimate, but 150 a day, every day? If we have decided that CAs are not "name cops", then I don't want to reintroduce an expectation that they are by the back door. > - Is it reasonable for a CA to issue a cert to the CIA for Yandex or to > the Chinese government for Facebook, even if the requester does > demonstrate "sufficient control" of the domain? I suspect that if the Chinese government were attempting to get a cert for Facebook mis-issued to themselves, they would not identify themselves as the Chinese government. We care about the above as a mis-issuance, just like any other. Gerv _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy