On Mon, Jan 14, 2019 at 5:45 PM Wayne Thayer via dev-security-policy < [email protected]> wrote:
> > Am I wrong to expect US CAs to be monitoring OFAC sanctions lists? > Otherwise they would risk violating the typical "comply with applicable > law" stipulation in section 9 of their CPS'. > I'm concerned that such a policy interpretation would necessarily imply that the CA, in the routine course, might need to have an assertion as to the individual / organization requesting or benefitting from the certificate. While Let's Encrypt allows account registration to be attached to an email address, I'm pretty sure they don't require it. I'm working from the assumption that the CAs in the US are following a "most-conservative approach" legal guidance in determining whether or not a given certificate that they might issue or may have issued constitutes a covered dealing as defined in the various sanctions orders and laws (which are numerous.) In the strictest literal sense, a CA is performing a service (as in performing work upon the request of a party) at the behest of a certificate requestor / subscriber -- who might in fact be unrelated to the ownership of the DNS name which is incorporated in the certificate (providing the requestor can succeed at validation. This would suggest that providing service for the wrong requestor might be of more significance to the sanctions rules than whether or not the target website mentioned in the certificate is owned or operated by a sanctioned entity. There's also a reasonable case to be made that providing OCSP status information over an unrelated third party's certificate, to and/or upon the request of a sanctioned entity might be construed as providing service to a sanctioned entity. I suppose my concern is that generally speaking, dns names aren't sanctioned. Entities are. But in a domain validation environment, it is reasonable to suggest that CAs pull in lists of entities and then monitor these for domain names, the provenance of said domain names having not even been required and/or established in the course of issuance? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
