On Fri, 14 Aug 2020, 21:52 Ronald Crane via dev-security-policy, < dev-security-policy@lists.mozilla.org> wrote:
> It could raise legal issues for a CA to refuse to revoke an obvious > phishing domain after notice that it is fraudulent, or at least after > notice that it's actually being used to defraud. > > For example, Calif. Penal Code s.530.5 says: > > (d)(2) Every person who, with _actual knowledge_ that the personal > identifying information, as defined in subdivision (b) of Section > 530.55, of a specific person will be used to commit a violation of > subsection (a), sells, transfers, _or conveys_ that same personal > identifying information is guilty of a public offense.... > > (emphasis added). Does a CA "convey[]" "personal identifying > information" if it leaves unrevoked, after notice, a certificate for a > domain that is being used to phish bank credentials? > > Subdivision (a), in turn, makes it an public offense to "willfully > obtain[] personal identifying information, as defined in subdivision > (b) of Section 530.55, of another person, and use[] that information for > any unlawful purpose...". (This would seem to cover actual phishing of > bank credentials). > IANAL, but please note that you quote "personal identifying information [...] of another person". AIUI, to trigger clause (d)(2) for the CA, the phishing party would _at the very least_ need to have obtained a valid certificate (and keypair, to use this certificate) for a domain that they do not own / are authorized to control (= PII of another person). The revocation of such certificates is already covered by the first listing in BR section 4.9.1.1. This is not legal advice. Consult your favorite lawyer for that. > > -R > Same here, -Matthias _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy