thanks
发自网易邮箱大师 在2017年05月03日 10:15,Jakob Bohm via dev-security-policy 写道: On 02/05/2017 12:46, Gervase Markham wrote: > On 02/05/17 01:55, Peter Kurrasch wrote: >> I was thinking that fraud takes many forms generally speaking and that >> the PKI space is no different. Given that Mozilla (and everyone else) >> work very hard to preserve the integrity of the global PKI and that the >> PKI itself is an important tool to fighting fraud on the Internet, it >> seems to me like it would be a missed opportunity if the policy doc made >> no mention of fraud. >> >> Some fraud scenarios that come to mind: >> >> - false representation as a requestor >> - payment for cert services using a stolen credit card number >> - malfeasance on the part of the cert issuer > > Clearly, we have rules for vetting (in particular, EV) which try and > avoid such things happening. It's not like we are indifferent. But > stolen CC numbers, for example, are a factor for which each CA has to > put in place whatever measures they feel appropriate, just as any > business does. It's not really our concern. > >> - requesting and obtaining certs for the furtherance of fraudulent activity >> >> Regarding that last item, I understand there is much controversy over >> the prevention and remediation of that behavior but I would hope there >> is widespread agreement that it does at least exist. > > It exists, in the same way that cars are used for bank robbery getaways, > but the Highway Code doesn't mention bank robberies. > > Gerv > However a highway code may mention the authority of the highway police to establish roadblocks and stop vehicles in relation to general criminal issues. (But it is obviously not against any law for the police to not establish roadblocks and vehicle searches for every bank robbery ever committed, just as there is no requirements for CAs to revoke certificates for every allegedly fraudulent use possible). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
