On 8/14/2020 2:14 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Fri, Aug 14, 2020 at 10:32 PM Ronald Crane via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
Why not just do the right thing?
The domain you send your emails from is, as far as I can tell, at
least as much in breach of Germany's "Telemediengesetz" ("Tele media
law") as a CA is of identity theft.
That would raise a very involved question of international jurisdiction
that was not raised by the original question of a U.S. CA under the law
of a U.S. state.
...Why even think about whether the CA is legally bound by a German
court-order when it could ***just do the right thing***?
Please tell us, counseller, what "the right thing" is? I think there's a
big difference between
(1) a CA refusing to take action following a report that one of its
certs is being used to perpetrate fraud (my hypo); and
(2) a CA taking no pre-emptive action regarding a supposed technical
violation of a labelling requirement for which no specific section of
law has been cited, and which "violation" makes no real difference to
how anyone interacts with the "violating" site or in the services (if
any) that it provides to people who visit it (your hypo).
Certain acts (such as fraud) are malum in se -- intrinsically injurious
to the operation of an ordered society. That (at least at common law --
I don't know what continental law says on this topic) is a critical
distinction between the two hypos.
-R
P.S. Again, not legal advice...consult your favorite lawyer for that.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
