On Mon, Apr 16, 2018 at 3:22 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > If that CA has a practice that they actually do something about high > risk names, it would still be expected (in the normal, not legal, > sense of the word) for that CA to include PayPal on their list of > such names. >
If you expect that, you're absolutely wrong for expecting that, because that's not what a High Risk Request is. You can't simply ignore the very definition and requirements and attempt to argue it should be anything. > > But just to please your pedantry, I will add two additional outcome > options: > > -1. Thay CA does not really check for high risk names at all. This > might be permitted by some readings of BR 4.2.1 / Ballot 78. > It absolutely is permitted, and not a negative. Your expectations are wrong, and you should adjust them, because they're not based in reality. > 0. That CA uses a form of "additional scrutiny" for "High Risk > Certificate Requests" which is sufficiently weak as to still allow > this proof of concept incident. It's not sufficiently weak, for any sense, because it's not defined what weak or strong is. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy