It could raise legal issues for a CA to refuse to revoke an obvious
phishing domain after notice that it is fraudulent, or at least after
notice that it's actually being used to defraud.
For example, Calif. Penal Code s.530.5 says:
(d)(2) Every person who, with _actual knowledge_ that the personal
identifying information, as defined in subdivision (b) of Section
530.55, of a specific person will be used to commit a violation of
subsection (a), sells, transfers, _or conveys_ that same personal
identifying information is guilty of a public offense....
(emphasis added). Does a CA "convey[]" "personal identifying
information" if it leaves unrevoked, after notice, a certificate for a
domain that is being used to phish bank credentials?
Subdivision (a), in turn, makes it an public offense to "willfully
obtain[] personal identifying information, as defined in subdivision
(b) of Section 530.55, of another person, and use[] that information for
any unlawful purpose...". (This would seem to cover actual phishing of
bank credentials).
And section 530.55 says:
(a) For purposes of this chapter, "person" means a natural
person,...organization...company, corporation....
(b) For purposes of this chapter, "personal identifying information"
means any _name_, ..._unique electronic data including information
identification number assigned to that person, address or routing
code, telecommunications identifying information...or an equivalent
form of identification._
(emphasis added). In this context "telecommunications identifying
information...or an equivalent form of identification" would seem to
include a phishy domain.
This seems like iffy territory.
This is not legal advice. Consult your favorite lawyer for that.
-R
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy