On Thu, Apr 12, 2018 at 12:32 PM, Wayne Thayer <wtha...@mozilla.com> wrote:
> On Thu, Apr 12, 2018 at 8:10 AM, Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Indeed, I find it concerning that several CAs were more than happy to take >> Ian's money for the issuance, but then determined (without apparent cause >> or evidence) to revoke the certificate. Is there any evidence that this >> certificate was misissued - that the information was not correct? Is there >> evidence that Ian, as Subscriber, or stripe.ian.sh, as domain holder, >> requested this certificate to be revoked? >> >> If anything, this highlights the deeply concerning practices of revocation >> by CAs, and their ability to disrupt services of legitimate businesses. >> >> BR 4.9.1.1 states that a CA SHALL revoke a certificate within 24 hours if > "The CA determines that any of the information appearing in the > Certificate is inaccurate or misleading" I'm sympathetic to the arguments > being made here, but the whole point of this discussion is that the EV > information presented to users is misleading, so these CAs did what was > required of them. > In what way is it misleading though? It fully identified the organization that exists, which is a legitimate organization. Thus, the information that appears within the certificate itself is not misleading - and I don't think 4.9.1.1 applies. Or are we saying it's misleading because some browsers only display a portion of that information in their security UI? If so, is that a failure of the security UI (for not showing all the information present)? Or is the argument that it's misleading if any two entities share the same O and C (the information displayed)? Is it still misleading if the Cs differ? If this is the vein to take, should CAs then be responsible for examining CT (or other sources) to determine if two organizations share the same (or similar?) names, regardless of incorporation location, and refuse to issue if there is an extant cert for a different organization? Or we can continue taking the argument further, by suggesting that if a smaller organization gets the cert first, they could find their cert revoked if a more 'popular' organization with the same name wants a cert instead. In the DNS space, this is an extremely complex, nuanced issue, with the whole Uniform Domain-Name Dispute Resolution Policy established, in part, to try to put parties on semi-equitable footing. The current approach being taken by CAs lacks that, lacks the transparency, and lacks the neutrality - all things one would expect from such policies. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
