Andrew - As I outlined in my message above, the BRs cover two distinct situations: (1) when must CAs revoke certs that have already been issued for “Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to Certificates,” and (2) when CAs must refuse to issue because their High Risk Certificate Request checking algorithms indicate the subscriber should not receive a new certificate.
Kathleen’s questions cover both situations (1) and (2): == Questions == 1) What does "Certificate misuse, or other types of fraud" in the definition of Certificate Problem Report actually mean? [KH - This relates to revocation of an issued certificate] 2) What does "misused" mean in Section 4.9.1.1? [KH - This relates to revocation of an issued certificate] 3) If a website is using its SSL certificate to mask injection of malware and evidence of that is presented to the issuing CA, is that sufficient misuse for the CA to be required to revoke the certificate? [KH - This relates to revocation of an issued certificate] 4) Does a website who is known to an issuing CA to inject malware count as high risk? [This relates to refusal to issue a new certificate to a subscriber based on known bad acts, not possible identity confusion in a name like “yourfacebookpage123.net” that is properly registered to a hacker.] 5) Are CAs required to maintain a list/database to prevent issuance of SSL certificates for websites that are known to them to inject malware? [This relates to refusal to issue a new certificate to a subscriber based on known bad acts, not possible identity confusion in a name like “yourfacebookpage123.net” that is properly registered to a hacker.] Your main concern – unjustified delay in issuing a certificate to your customer while a human looks at the domain to decide if there is a problem - is not really related to any of Kathleen’s questions. Your other comments express what you think the role of a CA *should* be, but don’t address what the current BRs actually require CAs to do (which is what Kathleen was asking). I think it’s a huge mistake to leave all user protection solely o software processing features like Microsoft SmartScreen and Google Safe Browsing. First, there are millions of users around the world who will not be protected by such features. Second, who knows what really goes in to these software processing features – and who knows if a malware site known to the CA who issued a cert for the site will ever be reported by the CA to all the possible software applications used around the world. When a certificate is used to hide malware from users and prevent their security software from detecting the malware, that certificate should be revoked by the issuing CA once it receives credible information that the certificate is being used by a malware site (after the CA receives no timely or adequate response from the subscriber when asked about the report). That’s the first line of defense for users. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy