On 8/14/2020 1:17 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Fri, Aug 14, 2020 at 9:52 PM Ronald Crane via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
It could raise legal issues for a CA to refuse to revoke an obvious
phishing domain after notice that it is fraudulent, or at least after
notice that it's actually being used to defraud.
For example, Calif. Penal Code s.530.5 says:
(d)(2) Every person who, with _actual knowledge_ that the personal
identifying information, as defined in subdivision (b) of Section
530.55, of a specific person will be used to commit a violation of
subsection (a), sells, transfers, _or conveys_ that same personal
identifying information is guilty of a public offense....
(emphasis added). Does a CA "convey[]" "personal identifying
information" if it leaves unrevoked, after notice, a certificate for a
domain that is being used to phish bank credentials?
IANAL. Yet, that sounds at best very far-fetched regarding the
conveying, and then even if, the "actual knowledge" regarding the
"specific person" would not have been the case at the time of the very
constructed "conveying".
If a CA "conveys" (or "transfers") by not revoking after notice (which
gives "actual knowledge" that the "specific person" (that is, the legit
site) is being impersonated), then there seems to be a problem. If a CA
does not revoke after notice of actual fraudulent use, they have a bad
fact pattern to defend. "Your honor! The BRs don't require it!" is
pretty weak tea in this context.
Why not just do the right thing?
-R
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy