On Thu, Apr 12, 2018 at 9:45 AM, Ryan Sleevi <r...@sleevi.com> wrote:
> > > On Thu, Apr 12, 2018 at 12:32 PM, Wayne Thayer <wtha...@mozilla.com> > wrote: > >> On Thu, Apr 12, 2018 at 8:10 AM, Ryan Sleevi via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> Indeed, I find it concerning that several CAs were more than happy to >>> take >>> Ian's money for the issuance, but then determined (without apparent cause >>> or evidence) to revoke the certificate. Is there any evidence that this >>> certificate was misissued - that the information was not correct? Is >>> there >>> evidence that Ian, as Subscriber, or stripe.ian.sh, as domain holder, >>> requested this certificate to be revoked? >>> >>> If anything, this highlights the deeply concerning practices of >>> revocation >>> by CAs, and their ability to disrupt services of legitimate businesses. >>> >>> BR 4.9.1.1 states that a CA SHALL revoke a certificate within 24 hours >> if "The CA determines that any of the information appearing in the >> Certificate is inaccurate or misleading" I'm sympathetic to the arguments >> being made here, but the whole point of this discussion is that the EV >> information presented to users is misleading, so these CAs did what was >> required of them. >> > > In what way is it misleading though? It fully identified the organization > that exists, which is a legitimate organization. Thus, the information that > appears within the certificate itself is not misleading - and I don't think > 4.9.1.1 applies. > > I would refer you to your email, kicking off the 150+ message thread on this topic back in December, that included these statements: "...and more importantly, how easy it is to obtain certificates that may confuse or mislead users" "given the ability to provide accurate-but-misleading information in EV certificates,..." https://groups.google.com/d/msg/mozilla.dev.security.policy/szD2KBHfwl8/kWLDMfPhBgAJ Or are we saying it's misleading because some browsers only display a > portion of that information in their security UI? If so, is that a failure > of the security UI (for not showing all the information present)? Or is the > argument that it's misleading if any two entities share the same O and C > (the information displayed)? Is it still misleading if the Cs differ? If > this is the vein to take, should CAs then be responsible for examining CT > (or other sources) to determine if two organizations share the same (or > similar?) names, regardless of incorporation location, and refuse to issue > if there is an extant cert for a different organization? Or we can continue > taking the argument further, by suggesting that if a smaller organization > gets the cert first, they could find their cert revoked if a more 'popular' > organization with the same name wants a cert instead. > > In the DNS space, this is an extremely complex, nuanced issue, with the > whole Uniform Domain-Name Dispute Resolution Policy established, in part, > to try to put parties on semi-equitable footing. The current approach being > taken by CAs lacks that, lacks the transparency, and lacks the neutrality - > all things one would expect from such policies. > I agree with this, but the current approach taken by CAs is defined in the BRs, so pointing fingers at individual CAs is not the solution. Based on this argument, the requirement to revoke when a certificate contains misleading information should be removed from the BRs. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
