On 13/04/2018 19:18, Ryan Sleevi wrote:
On Fri, Apr 13, 2018 at 1:13 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

Possible outcomes of such an investigation:

1. That CA does not consider paypal to be a high risk name.  This is
   within their right, though unexpected.

It's not at all unexpected. I just explained to you precisely how and why
it's expected. Everything else you said is irrelevant because of that :)

You have made no statement (and referred to no statement) on behalf of
that CA indicating that *their* practice would not list the frequently
phished global Paypal brand as a high risk name.  (Or not do anything
effective about such names).

All you have done is referenced lots of discussions about the limited
extent of the BR obligation to do anything about high risk names, which
I have acknowledged by stating that it would be within their rights.

If that CA has a practice that they actually do something about high
risk names, it would still be expected (in the normal, not legal,
sense of the word) for that CA to include PayPal on their list of
such names.

But just to please your pedantry, I will add two additional outcome

-1. Thay CA does not really check for high risk names at all.  This
  might be permitted by some readings of BR 4.2.1 / Ballot 78.

0. That CA uses a form of "additional scrutiny" for "High Risk
  Certificate Requests" which is sufficiently weak as to still allow
  this proof of concept incident.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to