My point, and that of some others is that the blunt revocation was a
public demonstation of how that CA would respond to a real phishing
site, thus completing your public demonstration of the problematic
scenario.
On 13/04/2018 02:40, James Burton wrote:
We both work in the security space and yes, usually blocking a proof of
concept is good practice but in this situation I feel that revoking this
cert was heavy handed and unnecessary. The probability of Ian using the EV
certs for deceptive purposes was extremely low.
There are tons more ways of using EV certs for bad purposes.
James
On Thu, 12 Apr 2018 at 23:35, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 12/04/2018 21:20, James Burton wrote:
Both mine and Ian's demonstrations never harmed or deceived anyone as
they
were proof of concept. The EV certs were properly validated to the
EV guidelines. Both companies are legitimate. So what's the issue? None.
In the security space, blocking a proof of concept exploit is usually
considered the right thing to do. But doing so in a way that is
entirely limited to the concrete example rather than the underlying
problem is considered cheating.
Consider, as an analogy, a hypothetical freedom of speech law whose only
exception was that you must not shout "fire" in a packed theater. Then
an actor standing on stage making speech about the silliness of that law
and then shouting "fire", with full warning of the audience to avoid
panic, should not be surprised to get charged with the specific offense,
as it was a deliberate test of the law. Of cause, such an actor might
deserve some leniency in the punishment, such as a $1 fine, but he
should not be surprised the law is formally upheld.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
