On 8/14/2020 1:17 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Fri, Aug 14, 2020 at 9:52 PM Ronald Crane via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
It could raise legal issues for a CA to refuse to revoke an obvious
phishing domain after notice that it is fraudulent, or at least after
notice that it's actually being used to defraud.

For example, Calif. Penal Code s.530.5 says:

     (d)(2) Every person who, with _actual knowledge_ that the personal
     identifying information, as defined in subdivision (b) of Section
     530.55, of a specific person will be used to commit a violation of
     subsection (a), sells, transfers, _or conveys_ that same personal
     identifying information is guilty of a public offense....

(emphasis added). Does a CA "convey[]" "personal identifying
information" if it leaves unrevoked, after notice, a certificate for a
domain that is being used to phish bank credentials?
IANAL. Yet, that sounds at best very far-fetched regarding the
conveying, and then even if, the "actual knowledge" regarding the
"specific person" would not have been the case at the time of the very
constructed "conveying".

If a CA "conveys" (or "transfers") by not revoking after notice (which gives "actual knowledge" that the "specific person" (that is, the legit site) is being impersonated), then there seems to be a problem. If a CA does not revoke after notice of actual fraudulent use, they have a bad fact pattern to defend. "Your honor! The BRs don't require it!" is pretty weak tea in this context.

Why not just do the right thing?

-R
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to