On 14/12/17 00:25, Tim Hollebeek via dev-security-policy wrote:
If you look at where the HTTPS phishing certificates come from, they come
almost entirely from Let's Encrypt and Comodo.
This is perhaps the best argument in favor of distinguishing between CAs
that care about phishing and those that don't.
Tim,
We reject certificate requests for sites that are already known to
engage in phishing, and we revoke (for all the good that does)
certificates for sites that are subsequently discovered to have engaged
in phishing.
IIUC, you're saying that "CAs that care about phishing" are ~100%
successful at avoiding issuing certs to phishing sites. If so, that's
great! Perhaps you could help us to become one of the "CAs that care
about phishing" by sharing your crystal ball technology with us, so that
we too can avoid issuing certs to sites that subsequently engage in
phishing?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
