Matt, that's a bit harsh, and you are all over the map. I was only responding to Kathleen's questions, which asked what do the current BRs require CAs to do when they receive reports of SSL certificates issued to malware injection sites. I was not proposing any new rules or any new interpretations of the existing rules -- I was explaining what the existing rules say, and how CAs (including the ones I have worked for) have applied them for many years (I believe these rules were first adopted, with the concurrence of all the browsers, in 2008 as part of the EV Guidelines). I was also pointing out that with the commendable adoption of ssl-everywhere, we all face new challenges as fraudsters are forced to use SSL, and use it to hide malware from user security software.
If you don't like the current BR rules, you are free to argue for change. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy