On 13/04/2018 05:56, Ryan Sleevi wrote:
On Thu, Apr 12, 2018 at 11:40 PM, Matthew Hardeman via dev-security-policy <
[email protected]> wrote:
Wow. I’m impressed.
Let’s Encrypt by their own declaration and by observed interactions in
their community help forums maintains a high value blacklist of domains.
This is misrepresenting what is stated.
It’s difficult to imagine how that list doesn’t include PayPal but did
include mail.ru.
Can you repeat that test with, say, microsoft.cologne?
Just testing a theory...
I think there's sufficient discussion in the past on such theories that it
would seriously detrimental to try to rehash or relitigate - e.g.
https://groups.google.com/d/msg/mozilla.dev.security.policy/vMrncPi3tx8/ZOqtG2DBBgAJ
That link does not discuss or answer what practices any real CA uses in
complying with the high-risk list BR. The thread that followed
contained lots of policy discussion, but almost nothing about what any
real world CA does about the question posed above (are global high risk
names flagged as high risk when used as 2nd level domains or public
suffix+1 level domains).
The thread did mention that at least one CA was actually doing the high
risk names checks suggested by the BRs, but not if that CA looked for
global high risk names in TLDs where those may not yet be established.
or
https://groups.google.com/d/msg/mozilla.dev.security.policy/xprGXlZb1xM/PlhtjyyRA_wJ
That thread from 2011 started by asking the right questions, but all the
answers were speculative what-if and what-should posts, none about what
any real CA actually did at any time.
or
https://groups.google.com/d/msg/mozilla.dev.security.policy/4Xy1Q6PHA7Y/a8Lp442OCAAJ
That thread starts out by discussing a specific Slashdot blaming of
Let's Encrypt for unspecified phishing sites and devolved into yet
another discussion about if CAs should refuse malicious websites in
general. It doesn't discuss the question at hand about global brands
and 2nd level domains etc.
or
https://groups.google.com/d/msg/mozilla.dev.security.policy/w5EmcPrudhs/rC9EhJthAgAJ
Another thread about general policy, nothing about if any specific CA is
checking 2nd level domains against their internal lists of high risk
domain names that are global in nature.
or ... you get the idea. Continuing to beat the dead horse is not doing
science, nor will it make the horse an interesting conversation starter.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
