On Thu, Apr 12, 2018 at 9:45 AM, Ryan Sleevi <r...@sleevi.com> wrote:

> On Thu, Apr 12, 2018 at 12:32 PM, Wayne Thayer <wtha...@mozilla.com>
> wrote:
>> On Thu, Apr 12, 2018 at 8:10 AM, Ryan Sleevi via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>> Indeed, I find it concerning that several CAs were more than happy to
>>> take
>>> Ian's money for the issuance, but then determined (without apparent cause
>>> or evidence) to revoke the certificate. Is there any evidence that this
>>> certificate was misissued - that the information was not correct? Is
>>> there
>>> evidence that Ian, as Subscriber, or stripe.ian.sh, as domain holder,
>>> requested this certificate to be revoked?
>>> If anything, this highlights the deeply concerning practices of
>>> revocation
>>> by CAs, and their ability to disrupt services of legitimate businesses.
>>> BR states that a CA SHALL revoke a certificate within 24 hours
>> if "The CA determines that any of the information appearing in the
>> Certificate is inaccurate or misleading" I'm sympathetic to the arguments
>> being made here, but the whole point of this discussion is that the EV
>> information presented to users is misleading, so these CAs did what was
>> required of them.
> In what way is it misleading though? It fully identified the organization
> that exists, which is a legitimate organization. Thus, the information that
> appears within the certificate itself is not misleading - and I don't think
> applies.
> I would refer you to your email, kicking off the 150+ message thread on
this topic back in December, that included these statements:

"...and more importantly, how easy it is to obtain certificates that may
confuse or mislead users"
"given the ability to provide accurate-but-misleading information in EV


Or are we saying it's misleading because some browsers only display a
> portion of that information in their security UI? If so, is that a failure
> of the security UI (for not showing all the information present)? Or is the
> argument that it's misleading if any two entities share the same O and C
> (the information displayed)? Is it still misleading if the Cs differ? If
> this is the vein to take, should CAs then be responsible for examining CT
> (or other sources) to determine if two organizations share the same (or
> similar?) names, regardless of incorporation location, and refuse to issue
> if there is an extant cert for a different organization? Or we can continue
> taking the argument further, by suggesting that if a smaller organization
> gets the cert first, they could find their cert revoked if a more 'popular'
> organization with the same name wants a cert instead.
> In the DNS space, this is an extremely complex, nuanced issue, with the
> whole Uniform Domain-Name Dispute Resolution Policy established, in part,
> to try to put parties on semi-equitable footing. The current approach being
> taken by CAs lacks that, lacks the transparency, and lacks the neutrality -
> all things one would expect from such policies.

I agree with this, but the current approach taken by CAs is defined in the
BRs, so pointing fingers at individual CAs is not the solution. Based on
this argument, the requirement to revoke when a certificate contains
misleading information should be removed from the BRs.
dev-security-policy mailing list

Reply via email to