On Mon, Apr 16, 2018 at 3:22 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> If that CA has a practice that they actually do something about high
> risk names, it would still be expected (in the normal, not legal,
> sense of the word) for that CA to include PayPal on their list of
> such names.

If you expect that, you're absolutely wrong for expecting that, because
that's not what a High Risk Request is.

You can't simply ignore the very definition and requirements and attempt to
argue it should be anything.

> But just to please your pedantry, I will add two additional outcome
> options:
> -1. Thay CA does not really check for high risk names at all.  This
>   might be permitted by some readings of BR 4.2.1 / Ballot 78.

It absolutely is permitted, and not a negative. Your expectations are
wrong, and you should adjust them, because they're not based in reality.

> 0. That CA uses a form of "additional scrutiny" for "High Risk
>   Certificate Requests" which is sufficiently weak as to still allow
>   this proof of concept incident.

It's not sufficiently weak, for any sense, because it's not defined what
weak or strong is.
dev-security-policy mailing list

Reply via email to