On Friday, April 13, 2018 at 2:15:47 PM UTC-7, Matthew Hardeman wrote: As a parent it is not uncommon for me to have to explain to my children that something they ask for is not reasonable. In some cases I joke and say things like “well I want a pony” or “and I wish water wasn't wet”.
When I look at arguments that support the idea of name squatting on a the internet and trying to solve that problem via the WebPKI I immediately think of these conversations with my kids. The topic of trademark rights has numerous professions dedicated to it combined with both international and domestic laws that define the rights, obligations and associated dispute resolution processes for claims associated with trademarks must use. I do not see how it would be effective or reasonable to place CAs as the arbitrator of this. Instead, should there be a trademark violation, it seems the existing legal system would be the appropriate way to address such concerns. If we accept that, which seems reasonable to me, then the question becomes in the event of a trademark dispute where should remediation happen. Since the CA is not the owner of the trademark or responsible for the registration of the name, it seems misplaced to think they should be the initiator of this process. Additionally it seems wrong that they would even be the first place you would go to if you wanted trademark enforcement, the registration of the name happens at the DNS layer and revoking the certificate does not change that the domain is still out there. To that end, ICANN actually has specific policies and procedures on how that process is supposed to work (see: https://www.icann.org/resources/pages/dispute-resolution-2012-02-25-en). The WebPKI ecosystem does not, it is, as has been discussed in this thread effectively acting arbitrarily when revoking for Trademark infringement. Based on the above, it seems clear to me the only potentially reasonable situation a CA should revoked on the basis of the outcome of Trademark claim through the aforementioned processes. To the topic of revoking a certificate because it is “deceiving”; this idea sounds a lot like book burning to me (https://www.ushmm.org/wlc/en/article.php?ModuleId=10005852). ``` Book burning refers to the ritual destruction by fire of books or other written materials. Usually carried out in a public context, the burning of books represents an element of censorship and usually proceeds from a cultural, religious, or political opposition to the materials in question. ``` This is a great example of that, what we have here is a legitimate business publishing information into the public domain that some people find offensive. Those people happen to control the doors to the library and have used that fact to censor that information so others can not access it. As a technologist who has spent a good chunk of his career working to secure the internet and make it more accessible this give me great pause and if you don’t come to the same conclusion I suggest you take a few minutes to look at how many CAs are operated by or in countries who have a bad history of freedom of speech. I strongly hope that Mozilla, and the other browsers, take a hard look at the topic of how CAs are expected to handle cases like this. The current situation may have been acceptable 10 years ago but as we approach 100% encryption on the web do we really want the WebPKI to be used as a censorship tool? Ryan Hurst (Speaking as an individual) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
