On Thu, Aug 13, 2020 at 8:59 PM Paul Walsh <p...@metacert.com> wrote: > > > > On Aug 13, 2020, at 11:04 AM, Tobias S. Josefowitz via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > > On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > >> > >> "Every domain should be allowed to have a certificate ***regardless of > >> intent***.” > >> > >> They are the most outrageously irresponsible words that I’ve heard in my > >> career on the web since 1996 when I was at AOL, and sadly, I’ve heard them > >> more than once. I just can’t get my head around it. To me, those words are > >> akin to someone saying that masks, Bill Gates, 5G and vaccinations are all > >> dangerous - totally stupid and not in the best interest of society. > > > > So in your opinion, what is wrong with every domain being allowed to > > have a certificate? What are your opinions on every domain being > > allowed TCP connections, IP addresses, its domain itself, and > > electricity? Is the certificate somehow standing out in your opinion? > > Why should it? If it was so easy for CAs to detect problematic > > domains, why isn't it for the domain registries/registrars? Why isn't > > the domain itself the problem but somehow the certificate is? > > [PW] Good questions. Perhaps you could answer mine first? That is, why would > a company not want to reduce the risk of their service being abused? Asking > me to explain why they should, seems counterproductive. It’s like asking me > why I should stop a man from kicking a child in the head. Answer = it’s the > right thing to do, even if I don’t have to.
"Asking me to explain why they should, seems counterproductive." - Well, if that is what you prefer we can of course simply go back to you being the arbiter of what is and is not to be likened to kicking a child in the head, and everything else subsequently being black and white and plain simple. Except of course, you know, for why what even you must consider to be a lot of people that you ought to think ought to be subject matter experts under normal circumstances have these opinions and determinations you so much cannot explain or understand that you liken them to "someone saying that masks, Bill Gates, 5G and vaccinations are all dangerous". Or maybe you could just be the arbiter of that, too. The answer itself is maybe simple, but definitely not black and white. It is also multifold. One aspect you might consider is that some might consider CAs/certs to simply not be the most appropriate/effective level to stop children from getting kicked in the head at, or actually some may even consider it a pretty ineffective and inappropriate level for trying to stop children from getting kicked in the head in general. To entirely leave the comfy binary space of black and white, one might also consider whether what is being discussed is actually an abuse of a CA's services. You probably are back to your mental image of a child getting its head kicked in by now, so let me work with that. Who sold that ghastly offender their shoes? Oh the abuse of service! If only the good merchant knew. Surely we must prevent the offender from buying shoes again! The grocery stores and restaurants surely should be informed as well, as the nourishment they sold to the offender got later on converted into the energy required for head-kicking! You know, while we're at it, what about the offender's landlord? Surely having a good night's sleep on the landlord's property before kicking a child's head in somehow must be abuse of service? That turned out surprisingly "cynical". Still, what constitutes abuse of service, and such one that one has moral implications or strong incentives to counteract at all or even some leveled cost is a bit of a spectrum, not everyone will agree where exactly to place certain things on this spectrum, and maybe that is why you just cannot get your head around it. > By deflecting the conversation to other stakeholders you’re participating in > “whataboutisim”. Let’s stick to why any company should not try to reduce the > risk of abuse. Yeah or maybe I'm wrong and this is super easy and we even have a word for it that, whether it applies here or not, allows us not to think about this anymore. "whataboutism", convenient. Tobi _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy