> On Aug 13, 2020, at 11:04 AM, Tobias S. Josefowitz via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: >> >> "Every domain should be allowed to have a certificate ***regardless of >> intent***.” >> >> They are the most outrageously irresponsible words that I’ve heard in my >> career on the web since 1996 when I was at AOL, and sadly, I’ve heard them >> more than once. I just can’t get my head around it. To me, those words are >> akin to someone saying that masks, Bill Gates, 5G and vaccinations are all >> dangerous - totally stupid and not in the best interest of society. > > So in your opinion, what is wrong with every domain being allowed to > have a certificate? What are your opinions on every domain being > allowed TCP connections, IP addresses, its domain itself, and > electricity? Is the certificate somehow standing out in your opinion? > Why should it? If it was so easy for CAs to detect problematic > domains, why isn't it for the domain registries/registrars? Why isn't > the domain itself the problem but somehow the certificate is?
[PW] Good questions. Perhaps you could answer mine first? That is, why would a company not want to reduce the risk of their service being abused? Asking me to explain why they should, seems counterproductive. It’s like asking me why I should stop a man from kicking a child in the head. Answer = it’s the right thing to do, even if I don’t have to. “Why isn’t it for the domain registries/registrars”. They should all try to reduce the risk of malicious domains being registered, and/or react when someone complains about abuse. When a domain is proven to be used for malicious activity it’s generally taken down - at least by companies that play fair. Some types of TLDs are even regulated to the point where you can’t buy a domain unless you have your identity verified. By deflecting the conversation to other stakeholders you’re participating in “whataboutisim”. Let’s stick to why any company should not try to reduce the risk of abuse. - Paul > > Tobi > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy