On 03/05/2017 17:45, Peter Kurrasch wrote:
Perhaps a different way to pose the questions here is whether Mozilla
wants to place any expectations on the CA's regarding fraud and the
prevention thereof. Expectations beyond what the BR's address, that is.
- Minimal expectation, meaning just satisfy whatever the BR's say but
beyond that Mozilla won't care(?)
- Passive involvement, meaning a CA is expected to do some investigation
into fraudulent activity but only when prompted and even then, no action
is necessarily expected
- Active involvement, meaning the CA has implemented policies and
procedures that identify and act on situations that appear fraudulent
A question one might ask is "What is reasonable?" It is not reasonable
for CA's to identify and prevent all cases of fraud so I wouldn't ask
that. I wouldn't call CA's the anti-fraud police, either. What about the
- When a CA is notified that a stolen credit card was used to purchase
certs, should the CA investigate the subscriber who used it and any
other certs that were purchased (perhaps using a different CC) and take
Generally, that is entirely an economic matter between the CA, the
subscriber and the credit card clearing house used by the CA. Most CAs
would probably revoke certificates if they suffer a chargeback,
regardless if the CC was stolen or not.
There are common best security practices that frequently prevent CAs
from actually knowing the CC numbers used by subscribers to purchase
- Is it reasonable for any subscriber to request more than 100 certs on
a given day? What about 500? 1000? (The point is not to prohibit large
requests but I would imagine there is a level which exceeds what anyone
might consider a legitimate use case.)
Mass orders from someone who hasn't placed such orders before should be
subject to extra scrutiny as to what is going on (e.g. did we just win
a major legitimate customer from the competition?, is this a new CDN /
hosting provider with overnight success?, is there some other good
reason?). But this may or may not be an area that Mozilla or the BRs
should set a policy for.
- Is is reasonable for a single CA to issue over 150 certs containing
"paypal" in the domain name? (I am referring to the analysis Vincent
Lynch did back in March.) There are undoubtedly cases where including
"paypal" in the name is or could be legitimate, but 150 a day, every day?
I believe this falls under the existing "High Risk Certificate
- Is it reasonable for a CA to issue a cert to the CIA for Yandex or to
the Chinese government for Facebook, even if the requester does
demonstrate "sufficient control" of the domain?
The point I wish to make is that situations will come up that go beyond
anything in the BR's and that reasonable people might agree go beyond a
reasonable level of reasonableness. The question becomes what will
Mozilla do as those situations arise? Can Mozilla envision possibly
asking a CA "don't you think you should have limited <whatever>?"
Here is something that might be added to Mozilla Policy in lieu of
being a BR:
The criteria used by a CA to identify "High Risk Certificate Requests"
as defined by BR 1.6.1 and referenced in BR 4.2.1 shall, at a minimum
include at least, but not only, the following:
- All of the items enumerated in the BR definition of "High Risk
Certificate Request" in BR 1.6.1, even though they may be optional in
the current BRs.
- The Alexa top 1000 unique base domain names, (e.g. if www.mozilla.com
and www.mozilla.org are both in the Alexa top list, they count as only
1 when counting towards the 1000).
- The Following core Internet operational base domain names: iana,
ietf, rfc-editor, internic, icann, example, invalid, root-servers,
- The primary base domain names of all CAB/F members (including mozilla
- The base domain names of all domains operated or "owned" by the CA
- The following names that tend to indicate high value subdomain
hierarchies: gov, com, org, co, ac.
- Anything containing the substring "bank".
- Any IDN domain names whose rendering using any of the well known
standard fonts: "Times Roman", "Courier", "Helvetica", "Arial" is
visually very close to any string of ASCII-only graphical characters.
(It is noted, that this criteria can generally be checked by
compiling a list of UNICODE code points and sequences thereof having
this property on their own, then flagging any IDN name containing only
ASCII plus such sequences).
- Any all-ASCII domain name containing the characters ("1", "L", "i"),
("0", or "o") when a different entity controls the existing domain
formed by interchanging those with others from the same of the two
For example, an application for the domain exampie.com is high risk
from an entity other than the entity controlling exampLe.com. And
Note that "High Risk Certificate Requests" can still be fulfilled,
they just require extra checks of their legitimacy, as per BR 4.2.1.
*From: *Gervase Markham
*Sent: *Tuesday, May 2, 2017 5:46 AM
*To: *Peter Kurrasch; mozilla-dev-security-pol...@lists.mozilla.org
*Subject: *Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"
On 02/05/17 01:55, Peter Kurrasch wrote:
I was thinking that fraud takes many forms generally speaking and that
the PKI space is no different. Given that Mozilla (and everyone else)
work very hard to preserve the integrity of the global PKI and that the
PKI itself is an important tool to fighting fraud on the Internet, it
seems to me like it would be a missed opportunity if the policy doc made
no mention of fraud.
Some fraud scenarios that come to mind:
- false representation as a requestor
- payment for cert services using a stolen credit card number
- malfeasance on the part of the cert issuer
Clearly, we have rules for vetting (in particular, EV) which try and
avoid such things happening. It's not like we are indifferent. But
stolen CC numbers, for example, are a factor for which each CA has to
put in place whatever measures they feel appropriate, just as any
business does. It's not really our concern.
- requesting and obtaining certs for the furtherance of fraudulent
Regarding that last item, I understand there is much controversy over
the prevention and remediation of that behavior but I would hope there
is widespread agreement that it does at least exist.
It exists, in the same way that cars are used for bank robbery getaways,
but the Highway Code doesn't mention bank robberies.
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list