On Fri, Aug 14, 2020 at 9:52 PM Ronald Crane via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > It could raise legal issues for a CA to refuse to revoke an obvious > phishing domain after notice that it is fraudulent, or at least after > notice that it's actually being used to defraud. > > For example, Calif. Penal Code s.530.5 says: > > (d)(2) Every person who, with _actual knowledge_ that the personal > identifying information, as defined in subdivision (b) of Section > 530.55, of a specific person will be used to commit a violation of > subsection (a), sells, transfers, _or conveys_ that same personal > identifying information is guilty of a public offense.... > > (emphasis added). Does a CA "convey[]" "personal identifying > information" if it leaves unrevoked, after notice, a certificate for a > domain that is being used to phish bank credentials?
IANAL. Yet, that sounds at best very far-fetched regarding the conveying, and then even if, the "actual knowledge" regarding the "specific person" would not have been the case at the time of the very constructed "conveying". > This seems like iffy territory. That however is very true, just take a few minutes to sit back, relax, and appreciate how many things are perfectly legal maybe in most jurisdictions of the world, but not in all of them. Maybe we should not pry open Pandora's box here. Tobi _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy