On Friday, April 13, 2018 at 2:15:47 PM UTC-7, Matthew Hardeman wrote:
As a parent it is not uncommon for me to have to explain to my children that 
something they ask for is not reasonable. In some cases I joke and say things 
like “well I want a pony” or “and I wish water wasn't wet”.

When I look at arguments that support the idea of name squatting on a the 
internet and trying to solve that problem via the WebPKI I immediately think of 
these conversations with my kids.

The topic of trademark rights has numerous professions dedicated to it combined 
with both international and domestic laws that define the rights, obligations 
and associated dispute resolution processes for claims associated with 
trademarks must use. I do not see how it would be effective or reasonable to 
place CAs as the arbitrator of this. Instead, should there be a trademark 
violation, it seems the existing legal system would be the appropriate way to 
address such concerns.

If we accept that, which seems reasonable to me,  then the question becomes in 
the event of a trademark dispute where should remediation happen. Since the CA 
is not the owner of the trademark or responsible for the registration of the 
name, it seems misplaced to think they should be the initiator of this process. 
Additionally it seems wrong that they would even be the first place you would 
go to if you wanted trademark enforcement, the registration of the name happens 
at the DNS layer and revoking the certificate does not change that the domain 
is still out there.

To that end, ICANN actually has specific policies and procedures on how that 
process is supposed to work (see: 
https://www.icann.org/resources/pages/dispute-resolution-2012-02-25-en). The 
WebPKI ecosystem does not, it is, as has been discussed in this thread 
effectively acting arbitrarily when revoking for Trademark infringement.

Based on the above, it seems clear to me the only potentially reasonable 
situation a CA should revoked on the basis of the outcome of Trademark claim 
through the aforementioned processes.

To the topic of revoking a certificate because it is “deceiving”; this idea 
sounds a lot like book burning to me 
(https://www.ushmm.org/wlc/en/article.php?ModuleId=10005852). 

```
Book burning refers to the ritual destruction by fire of books or other written 
materials. Usually carried out in a public context, the burning of books 
represents an element of censorship and usually proceeds from a cultural, 
religious, or political opposition to the materials in question.
```

This is a great example of that, what we have here is a legitimate business 
publishing information into the public domain that some people find offensive. 
Those people happen to control the doors to the library and have used that fact 
to censor that information so others can not access it.

As a technologist who has spent a good chunk of his career working to secure 
the internet and make it more accessible this give me great pause and if you 
don’t come to the same conclusion I suggest you take a few minutes to look at 
how many CAs are operated by or in countries who have a bad history of freedom 
of speech.

I strongly hope that Mozilla, and the other browsers, take a hard look at the 
topic of how CAs are expected to handle cases like this. The current situation 
may have been acceptable 10 years ago but as we approach 100% encryption on the 
web do we really want the WebPKI to be used as a censorship tool?

Ryan Hurst
(Speaking as an individual)
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to