On 03/05/17 16:45, Peter Kurrasch wrote:
> Perhaps a different way to pose the questions here is whether Mozilla
> wants to place any expectations on the CA's regarding fraud and the
> prevention thereof.

You need to be more specific, because there are lots of different ways a
system can have "fraud" and our attitude to different ones might be
different. We are not the police.

> - When a CA is notified that a stolen credit card was used to purchase
> certs, should the CA investigate the subscriber who used it and any
> other certs that were purchased (perhaps using a different CC) and take
> appropriate action?

I'd say this is none of our business, unless the certs are mis-issued.

> - Is it reasonable for any subscriber to request more than 100 certs on
> a given day? What about 500? 1000? (The point is not to prohibit large
> requests but I would imagine there is a level which exceeds what anyone
> might consider a legitimate use case.)

I suspect some CAs will tell you that they have customers such as cloud
providers who require a very large number of certs per day. And this
also seems to be entirely outside our interest.

> - Is is reasonable for a single CA to issue over 150 certs containing
> "paypal" in the domain name? (I am referring to the analysis Vincent
> Lynch did back in March.) There are undoubtedly cases where including
> "paypal" in the name is or could be legitimate, but 150 a day, every day?

If we have decided that CAs are not "name cops", then I don't want to
reintroduce an expectation that they are by the back door.

> - Is it reasonable for a CA to issue a cert to the CIA for Yandex or to
> the Chinese government for Facebook, even if the requester does
> demonstrate "sufficient control" of the domain?

I suspect that if the Chinese government were attempting to get a cert
for Facebook mis-issued to themselves, they would not identify
themselves as the Chinese government. We care about the above as a
mis-issuance, just like any other.

Gerv

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to