As far as I've seen there's no notion of "shall issue" or "must issue" in
any of the guidelines.

In other words, it would appear that CAs are free to restrict issuance or
restrict use and validity of EV certificates (or any other certificates,
for that matter) if they so choose.

Mr. Carroll may have a commercial dispute between himself or his entity and
the CAs, but that's a routine commercial dispute.  It appears likely that
the terms of engagement with most of the commercial CAs would grant the CA
cover to revoke if they find the certificate or its use to be perverse to
security or likely to cause risk, etc.

Is there a censorship aspect there?  Perhaps.  As has been noted before,
however, we're forced to tolerate that from Microsoft anyway.

On Thu, Apr 12, 2018 at 10:10 AM, Ryan Sleevi <> wrote:

> Indeed, I find it concerning that several CAs were more than happy to take
> Ian's money for the issuance, but then determined (without apparent cause
> or evidence) to revoke the certificate. Is there any evidence that this
> certificate was misissued - that the information was not correct? Is there
> evidence that Ian, as Subscriber, or, as domain holder,
> requested this certificate to be revoked?
> If anything, this highlights the deeply concerning practices of revocation
> by CAs, and their ability to disrupt services of legitimate businesses.
> On Thu, Apr 12, 2018 at 10:20 AM, Eric Mill via dev-security-policy <
>> wrote:
>> I'll go further, and protest why the EV cert was revoked. Why can't Ian
>> have a "Stripe, Inc." EV certificate for his business if he wants to? What
>> makes the payment processing company somehow more deserving of one than
>> Ian's company? Why was GoDaddy allowed to effectively take Ian's site down
>> without his consent?
>> If this is how EV is going to be handled, I think it's time to seriously
>> discuss removing the display of EV information from Mozilla products.
>> -- Eric
>> On Wed, Apr 11, 2018 at 3:31 PM, Jonathan Rudenberg via
>> dev-security-policy
>> <> wrote:
>> > On Wed, Apr 11, 2018, at 15:27, Matthew Hardeman via dev-security-policy
>> > wrote:
>> > > It was injudicious of a CA to issue another certificate in this name
>> for
>> > > this entity after the already well documented controversy.  Did they
>> just
>> > > not care that it would invite trouble or did they not know that it
>> would
>> > > invite controversy and trouble because they didn't track it the first
>> > time
>> > > around?
>> >
>> > What "trouble" is being invited? I don't see a problem. Everything is
>> > operating exactly as expected. GoDaddy did nothing wrong.
>> > _______________________________________________
>> > dev-security-policy mailing list
>> >
>> >
>> >
>> --
>> | @konklone <>
>> _______________________________________________
>> dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to