On Thu, Apr 12, 2018 at 8:10 AM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Indeed, I find it concerning that several CAs were more than happy to take > Ian's money for the issuance, but then determined (without apparent cause > or evidence) to revoke the certificate. Is there any evidence that this > certificate was misissued - that the information was not correct? Is there > evidence that Ian, as Subscriber, or stripe.ian.sh, as domain holder, > requested this certificate to be revoked? > > If anything, this highlights the deeply concerning practices of revocation > by CAs, and their ability to disrupt services of legitimate businesses. > > BR 4.9.1.1 states that a CA SHALL revoke a certificate within 24 hours if "The CA determines that any of the information appearing in the Certificate is inaccurate or misleading" I'm sympathetic to the arguments being made here, but the whole point of this discussion is that the EV information presented to users is misleading, so these CAs did what was required of them. On Thu, Apr 12, 2018 at 10:20 AM, Eric Mill via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > I'll go further, and protest why the EV cert was revoked. Why can't Ian > > have a "Stripe, Inc." EV certificate for his business if he wants to? > What > > makes the payment processing company somehow more deserving of one than > > Ian's company? Why was GoDaddy allowed to effectively take Ian's site > down > > without his consent? > > > > If this is how EV is going to be handled, I think it's time to seriously > > discuss removing the display of EV information from Mozilla products. > > > > -- Eric > > > > On Wed, Apr 11, 2018 at 3:31 PM, Jonathan Rudenberg via > dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > > > On Wed, Apr 11, 2018, at 15:27, Matthew Hardeman via > dev-security-policy > > > wrote: > > > > It was injudicious of a CA to issue another certificate in this name > > for > > > > this entity after the already well documented controversy. Did they > > just > > > > not care that it would invite trouble or did they not know that it > > would > > > > invite controversy and trouble because they didn't track it the first > > > time > > > > around? > > > > > > What "trouble" is being invited? I don't see a problem. Everything is > > > operating exactly as expected. GoDaddy did nothing wrong. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
