On Tue, Aug 11, 2020, at 15:20, nathali...--- via dev-security-policy wrote:
> The problem report was answered by Let's Encrpyt with an answer > indicating that they will continue to issue and hence are not following > BRG 4.2.1. requiring them to have procedures in place for such High > Risk Certificate Requests. Not revoking this certificate and continuing issuance does not indicate that they are not complying with the Baseline Requirements. > The CA SHALL develop, maintain, and implement documented procedures that > identify and require additional verification activity for High Risk > Certificate Requests prior to the Certificate’s approval, as reasonably > necessary to ensure that such requests are properly verified under these > Requirements. The issuance of a specific certificate doesn't indicate that they don't have the required "documented procedures" in place. There is no language in the Baseline Requirements or Mozilla Requirements that require specific criteria or procedures for High Risk Certificate Requests. However, since their CA software is open source, we can confirm that they do in fact have procedures implemented for High Risk Certificate Requests: https://github.com/letsencrypt/boulder/blob/e2c8f6743a3c3539a75ee59b8e3c152e069a7a1e/policy/pa.go#L53-L73 The Baseline Requirements and Mozilla Requirements also do not have any requirements to revoke or block future issuance in cases like this, so I don't see any "malpractise" or policy violations here. > So the question now is what the community intends to do to retain trust > in a certificate issuer with such an obvious malpractise enabling > phishing sites? TLS is the wrong layer to address phishing at, and this issue has already been discussed extensively on this list. This domain is already blocked by Google Safe Browsing, which is the correct layer (the User Agent) to deal with phishing at. I'd suggest reading through these posts before continuing so that we don't waste our time rehashing old arguments: https://groups.google.com/g/mozilla.dev.security.policy/search?q=phishing Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
