Apologies for triggering such a controversial discussion. Just to be clear, my
original post was not directed at discrediting any practice of a CA, but rather
to trigger discussion about what is/should be/will be the best option to solve
the issue.
> >> Why not just do the right thing?
> > The domain you send your emails from is, as far as I can tell, at
> > least as much in breach of Germany's "Telemediengesetz" ("Tele media
> > law") as a CA is of identity theft.
> That would raise a very involved question of international jurisdiction
> that was not raised by the original question of a U.S. CA under the law
> of a U.S. state.
> > ...Why even think about whether the CA is legally bound by a German
> > court-order when it could ***just do the right thing***?
> Please tell us, counseller, what "the right thing" is? I think there's a
> big difference between
>
> (1) a CA refusing to take action following a report that one of its
> certs is being used to perpetrate fraud (my hypo); and
>
> (2) a CA taking no pre-emptive action regarding a supposed technical
> violation of a labelling requirement for which no specific section of
> law has been cited, and which "violation" makes no real difference to
> how anyone interacts with the "violating" site or in the services (if
> any) that it provides to people who visit it (your hypo).
For post-issuing, this may be a solution in my opinion for damage containment.
But, and that is what bothers me more, it is a reactive measure. Shouldn't we
think and aim at a preventive measure by solving the root cause?
Trust into such a phishing site is given by the DV certificate issued. The
basis for issuing is that the ownership of the domain is confirmed. So, any
user on the Internet is suggested to trust that the domain really has been
verified as being the domain it is. And here, I guess the discrepancy happens.
Domain validation means only it is controlled by whoever registered it. No
statement on validation of any other attributes is given, although it is
suggested that if it has "credit-suisse" in the name, it should belong to this
financial institution. So, the root cuase in my opinion is that the validation
method suggests more than it is. So as a solution we either make that clear to
the user (what she/he gets trustwise with this certificate; certainly not easy
to do) or we think about improving the validation so that the user gets
validation for whats she/he expects to get which probably means that only OV or
EV or QWAC will be needed, or we work on how we revoke such certificates in a
n efficient manner (probably by an according change in the BRGs).
- Nathalie
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
