A few of us have been discussing the usareally.com "issue" recently. In case you didn't know, the US Treasure put out a notice that US companies must not do business with USA Really:
https://home.treasury.gov/news/press-releases/sm577
Let's Encrypt mapped that release to certificates they had issued to the
domain and revoked them:
https://www.mcclatchydc.com/news/policy/technology/cyber-security/article223
832790.html
They came to the GlobalSign Russia organization then to WoTrus:
https://crt.sh/?q=usareally.com
US CAs should take notice and put the proper controls in place.
This site never appeared on Google Safe Browsing as it's not a malware "bad
site", and it's safe to visit. You can even issue them a certificate or do
business with them if you're not a US company. It's likely that there are
governmental notices like this in other regions which would be useful to
share and factor into the CA's High Risk checks.
Does this group have any recommendations for how/where such "claims" or
announcements could be posted? Is the this list off-limits for such
communication?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
