It could raise legal issues for a CA to refuse to revoke an obvious phishing domain after notice that it is fraudulent, or at least after notice that it's actually being used to defraud.

For example, Calif. Penal Code s.530.5 says:

   (d)(2) Every person who, with _actual knowledge_ that the personal
   identifying information, as defined in subdivision (b) of Section
   530.55, of a specific person will be used to commit a violation of
   subsection (a), sells, transfers, _or conveys_ that same personal
   identifying information is guilty of a public offense....

(emphasis added). Does a CA "convey[]" "personal identifying information" if it leaves unrevoked, after notice, a certificate for a domain that is being used to phish bank credentials?

Subdivision (a), in turn, makes it an public offense to "willfully obtain[] personal identifying information,  as defined in subdivision (b) of Section 530.55, of another person, and use[] that information for any unlawful purpose...".  (This would seem to cover actual phishing of bank credentials).

And section 530.55 says:

   (a) For purposes of this chapter, "person" means a natural
   person,...organization...company, corporation....

   (b) For purposes of this chapter, "personal identifying information"
   means any _name_, ..._unique electronic data including information
   identification number assigned to that person, address or routing
   code, telecommunications identifying information...or an equivalent
   form of identification._

(emphasis added). In this context "telecommunications identifying information...or an equivalent form of identification" would seem to include a phishy domain.

This seems like iffy territory.

This is not legal advice. Consult your favorite lawyer for that.

-R

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to