On Mon, Nov 6, 2017 at 6:34 AM, Fotis Loukos via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 04/11/2017 02:36 μμ, Daniel Cater via dev-security-policy wrote: > > I notice that on https://crt.sh/mozilla-onecrl there are lots of > certificates that have recently been added to OneCRL from the .tg TLD > (Togo), including ones for high-profile domains such as google.tg. The > issuances occurred 3 days ago, on 1st November. > > According to LE CP section 4.2.1: > The CA SHALL develop, maintain, and implement documented procedures that > identify and require additional verification activity for High Risk > Certificate Requests prior to the Certificate’s approval, as reasonably > necessary to ensure that such requests are properly verified under these > Requirements. > > The same language also exists in section 4.2.1 of the CA/B Forum BRs. > > Has Lets Encrypt implemented the documented procedures? Is a request for > google.tg considered a high risk certificate request based on the > LetsEncrypt risk-mitigation criteria? > Does it matter? We've discussed this on the list several times in the past - the fact is that it can be whatever a CA defines, and is itself not meaningful for assurance. We've also seen how CA's "high risk" lists have ended up denying legitimate requests or causing security issues, so it hardly seems the thing to hang our hat on, or the thing of substance worth discussing. Should all CAs treat .tg as high risk now? Should all domains be treated as high risk, since, of course, registries can have issues? You can see how we can quickly devolve into arguing everything is High Risk, while, in practice, nothing is High Risk. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
