Independent of EV, the BRs require that a CA maintain a High Risk Certificate Request policy such that certificate requests are scrubbed against an internal database or other resources of the CAs discretion.
The examples particularly call out names that may be more likely to be used in phishing, etc., names that have previously been revoked, etc. How is declining issuance or revoking "Stripe, Inc" because of High Risk not consistent with that policy? It's noteworthy that the intent appears to be security first (from the perspective of protecting relying parties) ahead of any right to get a certificate of any sort, much less an EV certificate. It's definitely a name that would be more likely to be used in phishing. With respect to domain name labels, all CAs maintain high risk lists. I doubt Let's Encrypt would issue for paypal.any_valid_tld even if CAA would permit. This appears to be an extension of that kind of scrubbing to other Subject DN components. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
