Independent of EV, the BRs require that a CA maintain a High Risk
Certificate Request policy such that certificate requests are scrubbed
against an internal database or other resources of the CAs discretion.

The examples particularly call out names that may be more likely to be used
in phishing, etc., names that have previously been revoked, etc.

How is declining issuance or revoking "Stripe, Inc" because of High Risk
not consistent with that policy?  It's noteworthy that the intent appears
to be security first (from the perspective of protecting relying parties)
ahead of any right to get a certificate of any sort, much less an EV

It's definitely a name that would be more likely to be used in phishing.

With respect to domain name labels, all CAs maintain high risk lists.  I
doubt Let's Encrypt would issue for paypal.any_valid_tld even if CAA would

This appears to be an extension of that kind of scrubbing to other Subject
DN components.
dev-security-policy mailing list

Reply via email to