Nelson B Bolyard: > > I envision a photograph of Frank and Eddy, wearing mustaches and red > capes with horns and sporting tridents. :) > LOL > > Sadly, I don't see many signs that that Mozilla is interested or > participating in this work. > So wake them up... > Referring to the issuance of certs for names like paypal-host.com or > paypal.hosting.com, Eddy wrote: > > >> [...] CAs have and should have proper measures in place to >> prevent this from happening in first place. >> > > You need to define "this" very carefully. > Taken from a CPS I happen to have instantly access to:
Subscriber Obligations Use XYZ issued certificates in accordance with all applicable laws and not to use them for illegal or immoral purposes, which includes but is not limited to: · threaten, discriminate or harass other individuals and entities · make fraudulent offers of products, items, or services · forge message headers, in part or whole, of any electronic transmission · distribute viruses · obtain the identity of other individuals or entities · publish discriminating material · use it for any unlawful activities Circumstances for Revocation - The information supplied may be misleading (e.g., paypa1.com,micr0soft.com) - The subject has failed to comply with the rules in this policy - The subscriber violated his/her obligations > This raises the question: How can DV CAs, whose issuing processes are > almost entirely automatic, have any such foreknowledge? Eddy seems to > suggest (I think) that there is some basis upon which potentially fraudulent > domain names can be denied certs on some basis not yet defined (AFAIK). Yes. > I think that, in the absence of some well defined and widely > agreed set of criteria, all DV issuers always have an out, namely, > "We had no knowledge that there was any fraudulent intent." > This might or might not be true for regular DV certs. This isn't true when talking about wild card certificates, because they potentially can be used for fraud. This is knowledge the CA has upfront, because of that the CA should implement preventive measures such as identity validation. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
