John and Peter - this issue has actually come up recently - I think you have a 
very good idea.

We'll add to our agenda for the next Forum Teleconference call.   Thanks.


From: John LaCour []
Sent: Monday, February 19, 2018 2:45 PM
Subject: Directory of abuse reporting contacts for CAs?

Dear CA Representative:

The CA/Browser Forum's Baseline Requirements Section 4.9.3 says in part:

"The CA SHALL provide Subscribers, Relying Parties, Application Software 
Suppliers, and other third parties with clear instructions for reporting 
suspected Private Key Compromise, Certificate misuse, or other types of fraud, 
compromise, misuse, inappropriate conduct, or any other matter related to 
Certificates. The CA SHALL publicly disclose the instructions through a readily 
accessible online means."

However, we sometimes find it difficult to instructions on how and where to 
submit reports to issuing CAs to request certification revocation due to 
malicious use.

Would it be possible for the Forum and/or the browser community to create a 
list of reporting email addresses for each CA in the browser root programs, and 
post the list to an obvious page on the Forum's website, and maybe also on the 
CCADB website (Resources tab)?

If for whatever reason, the Forum decides not to make a consolidated listing 
available as a public resource, we would be grateful if the CAs would provide 
this information directly so that we may provide a consolidated list to the 
anti-phishing community via the Anti-Phishing Working Group (APWG).

Also, we would like to make you aware of an APWG program, AmDoS (1) , which 
facilitates the suspension of malicious domain names.   The program introduces 
a vetting program for reporters to submit takedown requests to participating 
domain registries.  This may potentially be a useful model to facilitate 
revocation requests between the anti-phishing community and CAs. Better, it is 
built and working and ready to update for the Forum's needs.

We thank you in advance for your help in this effort. We look forward to 
collaborating with the Forum soon.


John LaCour

CTO, PhishLabs<>

Peter Cassidy

Secretary General, APWG<>


John LaCour
Founder and Chief Technology Officer
M: +1.415.425.5646<>

Public mailing list

Reply via email to