On Fri, Jan 11, 2019 at 11:51 AM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> A few of us have been discussing the usareally.com "issue" recently. In > case you didn't know, the US Treasure put out a notice that US companies > must not do business with USA Really: > > https://home.treasury.gov/news/press-releases/sm577 > > > > Let's Encrypt mapped that release to certificates they had issued to the > domain and revoked them: > > > https://www.mcclatchydc.com/news/policy/technology/cyber-security/article223 > 832790.html > <https://www.mcclatchydc.com/news/policy/technology/cyber-security/article223832790.html> > > > > They came to the GlobalSign Russia organization then to WoTrus: > > https://crt.sh/?q=usareally.com > > US CAs should take notice and put the proper controls in place. > > Am I wrong to expect US CAs to be monitoring OFAC sanctions lists? Otherwise they would risk violating the typical "comply with applicable law" stipulation in section 9 of their CPS'. > > > This site never appeared on Google Safe Browsing as it's not a malware "bad > site", and it's safe to visit. You can even issue them a certificate or do > business with them if you're not a US company. It's likely that there are > governmental notices like this in other regions which would be useful to > share and factor into the CA's High Risk checks. > > > > Does this group have any recommendations for how/where such "claims" or > announcements could be posted? Is the this list off-limits for such > communication? > > Unless/until someone responds with specific objections, feel free to use this list to share that type of information. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
