> I doubt Let's Encrypt would issue for paypal.any_valid_tld even if CAA would > permit.
https://paypal.cologne :) On 13.4.18 00:18, Matthew Hardeman via dev-security-policy wrote: > Independent of EV, the BRs require that a CA maintain a High Risk > Certificate Request policy such that certificate requests are scrubbed > against an internal database or other resources of the CAs discretion. > > The examples particularly call out names that may be more likely to be used > in phishing, etc., names that have previously been revoked, etc. > > How is declining issuance or revoking "Stripe, Inc" because of High Risk > not consistent with that policy? It's noteworthy that the intent appears > to be security first (from the perspective of protecting relying parties) > ahead of any right to get a certificate of any sort, much less an EV > certificate. > > It's definitely a name that would be more likely to be used in phishing. > > With respect to domain name labels, all CAs maintain high risk lists. I > doubt Let's Encrypt would issue for paypal.any_valid_tld even if CAA would > permit. > > This appears to be an extension of that kind of scrubbing to other Subject > DN components. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
