On Fri, Apr 13, 2018 at 11:53 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 13/04/2018 05:56, Ryan Sleevi wrote:
>
>> On Thu, Apr 12, 2018 at 11:40 PM, Matthew Hardeman via
>> dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>
>> Wow.  I’m impressed.
>>>
>>> Let’s Encrypt by their own declaration and by observed interactions in
>>> their community help forums maintains a high value blacklist of domains.
>>>
>>>
>> This is misrepresenting what is stated.
>>
>>
>> It’s difficult to imagine how that list doesn’t include PayPal but did
>>> include mail.ru.
>>>
>>> Can you repeat that test with, say, microsoft.cologne?
>>>
>>> Just testing a theory...
>>>
>>>
>> I think there's sufficient discussion in the past on such theories that it
>> would seriously detrimental to try to rehash or relitigate - e.g.
>> https://groups.google.com/d/msg/mozilla.dev.security.policy/
>> vMrncPi3tx8/ZOqtG2DBBgAJ
>>
>
> That link does not discuss or answer what practices any real CA uses in
> complying with the high-risk list BR.  The thread that followed
> contained lots of policy discussion, but almost nothing about what any
> real world CA does about the question posed above (are global high risk
> names flagged as high risk when used as 2nd level domains or public
> suffix+1 level domains).
>

While I am thrilled that you viewed all of the links, you will find that
the past discussion of what constitutes a "High Risk Domain" is not at all
aligned with the notion you or Matthew is advocating. I can understand your
desire to understand what "real CAs" do, but that's not at all aligned with
what is required, which is the conversation that matters - as are the
reasons for revocation. The simple answer is "It doesn't matter, because
they're not required to, so stop trying to make it seem like they are" -
and the threads all demonstrate the various flaws with the argument being
made/advocated :)

While I hope it is well-intentioned questioning, the answer is irrelevant
to any of the discussions.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to