On 17.4.18 06:24, Jakob Bohm via dev-security-policy wrote: > I am not the only one with that expectation. In the concrete case the > expectation was succinctly stated by Mathew in Message-ID > mailman.312.1523571519.2176.dev-security-policy at lists.mozilla.org as > > Mathew> With respect to domain name labels, all CAs maintain high risk > Mathew> lists. I doubt XXXX would issue for > Mathew> paypal.any_valid_tld even if CAA would permit. > [ Name of CA elided ] > The question asked by Matthew and me, and which you keep blocking, is if > jomo has publicly disclosed a case in which that CA's procedures > accidentally fail to achieve that CA's security goals for those > procedures. This is a perfectly normally vulnerability issue > investigation, which jomo (not I) made public 4 days ago.
I was merely interested if Matthew's statement was correct, as I assumed it was not. This was not intended to be (and is not) a vulnerability issue investigation. It turned out Let's Elide indeed does issue a certificate [0], which I find nothing wrong with. They maintain a blacklist of high risk domains, as has been discussed in their community forums [1]. They do not make the list public, but have made previous statements about it; they have, in the past, accidentally blacklisted permutations of domains that were not malicious, but happened to use a similar name as a "high risk" domain, which made them change their blacklisting mechanisms [2]. They might, for example, blacklist TLD permutations of "high risk" domains registered by the same corporation. In this case it would include, for example, paypal.com and paypal.de, but not paypal.cologne, as it is not registered by the same corporation (PayPal Inc.) as the high risk paypal.com. The BRs do not require CAs to exclude domains from DV only because a big corporation uses a similar name. See also [3]. 0: https://crt.sh/?id=393717424 1: https://community.letsencrypt.org/search?q=%22Name%20is%20blacklisted%22 2: https://community.letsencrypt.org/t/name-is-blacklisted-on-renew/9012/19 3: https://letsencrypt.org/2015/10/29/phishing-and-malware.html jomo _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
