On Fri, Aug 14, 2020 at 10:32 PM Ronald Crane via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
> If a CA "conveys" (or "transfers") by not revoking after notice (which
> gives "actual knowledge" that the "specific person" (that is, the legit
> site) is being impersonated), then there seems to be a problem. If a CA
> does not revoke after notice of actual fraudulent use, they have a bad
> fact pattern to defend. "Your honor! The BRs don't require it!" is
> pretty weak tea in this context.
Neither a domain name nor a public key seems to be Section 530.55
style personal identifying information of a specific person. Also your
interpretation of "conveys" and "transfers" really seems contrived to
me.
> Why not just do the right thing?
The domain you send your emails from is, as far as I can tell, at
least as much in breach of Germany's "Telemediengesetz" ("Tele media
law") as a CA is of identity theft. [It doesn't really matter here,
but the Telemediengesetz requires an imprint to be published on the
homepage identifying the person or legal entity responsible)]. German
law also has a somewhat wide-ranging concept in who might be an
accessory to a breach of law. Such accessories can easily be
court-ordered to end their participation in the breach of law, or sued
for damages if they don't upon becoming aware of them. Complicated
stuff, but then the details are not important.
Now what if someone actually got a court-order against a CA used by
the domain you send your mails from? It would be a German court-order,
presumably, so would it really bind the CA used, assuming it's not in
Germany? Are there treaties in place between Germany and the
jurisdiction a CA used by the domain you send mails from where local
courts would help enforce the German court-order in this matter? Why
even think about whether the CA is legally bound by a German
court-order when it could ***just do the right thing***?
As I said before, I am not a lawyer. This is just to serve as an
illustration of what may lurk down the direction you are exploring
here, and how it is maybe simply not as clear as you think it is what
"the right thing" is and how to "do" it.
Tobi
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
