> I doubt Let's Encrypt would issue for paypal.any_valid_tld even if CAA would
On 13.4.18 00:18, Matthew Hardeman via dev-security-policy wrote:
> Independent of EV, the BRs require that a CA maintain a High Risk
> Certificate Request policy such that certificate requests are scrubbed
> against an internal database or other resources of the CAs discretion.
> The examples particularly call out names that may be more likely to be used
> in phishing, etc., names that have previously been revoked, etc.
> How is declining issuance or revoking "Stripe, Inc" because of High Risk
> not consistent with that policy? It's noteworthy that the intent appears
> to be security first (from the perspective of protecting relying parties)
> ahead of any right to get a certificate of any sort, much less an EV
> It's definitely a name that would be more likely to be used in phishing.
> With respect to domain name labels, all CAs maintain high risk lists. I
> doubt Let's Encrypt would issue for paypal.any_valid_tld even if CAA would
> This appears to be an extension of that kind of scrubbing to other Subject
> DN components.
> dev-security-policy mailing list
dev-security-policy mailing list