John and Peter - this issue has actually come up recently - I think you have a very good idea.
We'll add to our agenda for the next Forum Teleconference call. Thanks. Kirk From: John LaCour [mailto:j...@phishlabs.com] Sent: Monday, February 19, 2018 2:45 PM To: questi...@cabforum.org Cc: pe...@apwg.org Subject: Directory of abuse reporting contacts for CAs? Dear CA Representative: The CA/Browser Forum's Baseline Requirements Section 4.9.3 says in part: "The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions through a readily accessible online means." However, we sometimes find it difficult to instructions on how and where to submit reports to issuing CAs to request certification revocation due to malicious use. Would it be possible for the Forum and/or the browser community to create a list of reporting email addresses for each CA in the browser root programs, and post the list to an obvious page on the Forum's website, and maybe also on the CCADB website (Resources tab)? If for whatever reason, the Forum decides not to make a consolidated listing available as a public resource, we would be grateful if the CAs would provide this information directly so that we may provide a consolidated list to the anti-phishing community via the Anti-Phishing Working Group (APWG). Also, we would like to make you aware of an APWG program, AmDoS (1) , which facilitates the suspension of malicious domain names. The program introduces a vetting program for reporters to submit takedown requests to participating domain registries. This may potentially be a useful model to facilitate revocation requests between the anti-phishing community and CAs. Better, it is built and working and ready to update for the Forum's needs. We thank you in advance for your help in this effort. We look forward to collaborating with the Forum soon. Sincerely, John LaCour CTO, PhishLabs j...@phishlabs.com<mailto:j...@phishlabs.com> Peter Cassidy Secretary General, APWG pcass...@apwg.org<mailto:pcass...@apwg.org> (1) https://www.antiphishing.org/apwg-news-center/amdos/ -- John LaCour Founder and Chief Technology Officer M: +1.415.425.5646 j...@phishlabs.com<mailto:j...@phishlabs.com>
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public