A few of us have been discussing the usareally.com "issue" recently. In case you didn't know, the US Treasure put out a notice that US companies must not do business with USA Really:
https://home.treasury.gov/news/press-releases/sm577 Let's Encrypt mapped that release to certificates they had issued to the domain and revoked them: https://www.mcclatchydc.com/news/policy/technology/cyber-security/article223 832790.html They came to the GlobalSign Russia organization then to WoTrus: https://crt.sh/?q=usareally.com US CAs should take notice and put the proper controls in place. This site never appeared on Google Safe Browsing as it's not a malware "bad site", and it's safe to visit. You can even issue them a certificate or do business with them if you're not a US company. It's likely that there are governmental notices like this in other regions which would be useful to share and factor into the CA's High Risk checks. Does this group have any recommendations for how/where such "claims" or announcements could be posted? Is the this list off-limits for such communication?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy