On Fri, Apr 13, 2018 at 11:53 AM, Jakob Bohm via dev-security-policy < [email protected]> wrote:
> On 13/04/2018 05:56, Ryan Sleevi wrote: > >> On Thu, Apr 12, 2018 at 11:40 PM, Matthew Hardeman via >> dev-security-policy < >> [email protected]> wrote: >> >> Wow. I’m impressed. >>> >>> Let’s Encrypt by their own declaration and by observed interactions in >>> their community help forums maintains a high value blacklist of domains. >>> >>> >> This is misrepresenting what is stated. >> >> >> It’s difficult to imagine how that list doesn’t include PayPal but did >>> include mail.ru. >>> >>> Can you repeat that test with, say, microsoft.cologne? >>> >>> Just testing a theory... >>> >>> >> I think there's sufficient discussion in the past on such theories that it >> would seriously detrimental to try to rehash or relitigate - e.g. >> https://groups.google.com/d/msg/mozilla.dev.security.policy/ >> vMrncPi3tx8/ZOqtG2DBBgAJ >> > > That link does not discuss or answer what practices any real CA uses in > complying with the high-risk list BR. The thread that followed > contained lots of policy discussion, but almost nothing about what any > real world CA does about the question posed above (are global high risk > names flagged as high risk when used as 2nd level domains or public > suffix+1 level domains). > While I am thrilled that you viewed all of the links, you will find that the past discussion of what constitutes a "High Risk Domain" is not at all aligned with the notion you or Matthew is advocating. I can understand your desire to understand what "real CAs" do, but that's not at all aligned with what is required, which is the conversation that matters - as are the reasons for revocation. The simple answer is "It doesn't matter, because they're not required to, so stop trying to make it seem like they are" - and the threads all demonstrate the various flaws with the argument being made/advocated :) While I hope it is well-intentioned questioning, the answer is irrelevant to any of the discussions. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
