It’s actually really simple.
You end up in a position of editorializing. If you will not provide
service for abuse, everyone with a gripe constantly tries to redefine abuse.
Additionally, this is why positive security indicators are clearly on the
way out. In the not too distant future all
Let's Encrypt hasn't done anything wrong here.
Let's Encrypt has issued the certificate according to the BR requirements
and their own policies.
Every domain should be allowed to have a certificate regardless of intent.
CAs must not be allowed to act as judges.
Remember, all server certificates
You’re way off topic.. I purposely didn’t bring up indicators or phishing or
certifying anything. Those things have absolutely nothing to do with my
message. You’re joining dots that don’t exist in my conversation. Rather than
do that, refer only to the words I write - not what I might be
"Every domain should be allowed to have a certificate ***regardless of
intent***.”
They are the most outrageously irresponsible words that I’ve heard in my career
on the web since 1996 when I was at AOL, and sadly, I’ve heard them more than
once. I just can’t get my head around it. To me,
I stand by the comments I made earlier and it's the correct terminology. A
domain should have a certificate regardless of intent by the user. CAs are
not the police and shouldn't act as one. CAs do have to follow policies if
the certificate is used in illegal activities, misissued, etc but no CA
On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy
wrote:
>
> "Every domain should be allowed to have a certificate ***regardless of
> intent***.”
>
> They are the most outrageously irresponsible words that I’ve heard in my
> career on the web since 1996 when I was at AOL, and
Let me try this. Let’s say a report of child abuse is put forward to a hosting
provider, should they ignore it because they “are not the police”? Should
companies like Twitter and Facebook do nothing to reduce the risk of bullying,
misinformation and other bad things? It’s ok to say you think
I'm not going to answer the question because it's not relevant to
discussion.
On Thu, Aug 13, 2020 at 6:57 PM Paul Walsh wrote:
> Let me try this. Let’s say a report of child abuse is put forward to a
> hosting provider, should they ignore it because they “are not the police”?
> Should
Please don't speculate on my opinion just because I won't answer the
question. That's unprofessional.
So act professional! You know it makes sense!
On Thu, Aug 13, 2020 at 8:04 PM Paul Walsh wrote:
> Exactly what I thought - you’re either unable to answer the question
> honestly, or you simply
I'd argue that domain registrars, CAs, and hosting services _should_
have an obligation to deny services to obvious phishing domains. [1]
(This is independent of what (if any) obligations they might currently
have.) Phishing continues to be epidemic. It is not enough that some
user agents
On 8/13/2020 1:08 PM, Kurt Roeckx via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 12:43:01PM -0700, Ronald Crane via dev-security-policy
wrote:
I'd argue that domain registrars, CAs, and hosting services _should_ have an
obligation to deny services to obvious phishing domains. [1] (This
On Thu, Aug 13, 2020 at 8:59 PM Paul Walsh wrote:
>
>
> > On Aug 13, 2020, at 11:04 AM, Tobias S. Josefowitz via dev-security-policy
> > wrote:
> >
> > On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy
> > wrote:
> >>
> >> "Every domain should be allowed to have a certificate
On Thu, Aug 13, 2020 at 12:43:01PM -0700, Ronald Crane via dev-security-policy
wrote:
> I'd argue that domain registrars, CAs, and hosting services _should_ have an
> obligation to deny services to obvious phishing domains. [1] (This is
> independent of what (if any) obligations they might
> On Aug 13, 2020, at 11:04 AM, Tobias S. Josefowitz via dev-security-policy
> wrote:
>
> On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy
> wrote:
>>
>> "Every domain should be allowed to have a certificate ***regardless of
>> intent***.”
>>
>> They are the most
Exactly what I thought - you’re either unable to answer the question honestly,
or you simply do not care about the consequences that arise from abuse.
> On Aug 13, 2020, at 11:19 AM, Burton wrote:
>
> I'm not going to answer the question because it's not relevant to discussion.
>
> On Thu,
On Thu, Aug 13, 2020 at 10:31 PM Ronald Crane via dev-security-policy
wrote:
>
> [...] Registrars (and CAs) are
> in excellent positions to impede the use of phishing domains, since they
> hand them out (registrars) or issue certificates for them (CAs). [...]
Things are rarely this static. The
I agree Eric. I apologize for those words, they’re beneath me and everyone else
who strives for civil debate. It’s a terrible paragraph of text.
- Paul
> On Aug 13, 2020, at 4:09 PM, Eric Mill wrote:
>
> On Thu, Aug 13, 2020 at 10:20 AM Paul Walsh via dev-security-policy
>
All,
Currently CCADB only allows for one CP URL and one CPS URL per root
certificate, so we are updating the CCADB to enable many-to-many mapping
between policy documents and root certificates. One or more policy
documents may be provided and associated with one or more root
certificates and
On 8/13/2020 2:25 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 10:31 PM Ronald Crane via dev-security-policy
wrote:
[...] Registrars (and CAs) are
in excellent positions to impede the use of phishing domains, since they
hand them out (registrars) or issue
On Thu, Aug 13, 2020 at 10:20 AM Paul Walsh via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> "Every domain should be allowed to have a certificate ***regardless of
> intent***.”
>
> They are the most outrageously irresponsible words that I’ve heard in my
> career on the
On Thu, Aug 13, 2020 at 11:48 PM Ronald Crane via dev-security-policy
wrote:
>
> On 8/13/2020 2:25 PM, Tobias S. Josefowitz via dev-security-policy wrote:
> > Detecting phishing domains by "looking at them as strings" may thus be
> > futile, and "blocking obvious phishing domains" may be a not so
On 8/13/2020 3:18 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 11:48 PM Ronald Crane via dev-security-policy
wrote:
On 8/13/2020 2:25 PM, Tobias S. Josefowitz via dev-security-policy wrote:
Detecting phishing domains by "looking at them as strings" may thus
On Fri, Aug 14, 2020 at 1:53 AM Ronald Crane via dev-security-policy
wrote:
>
> On 8/13/2020 3:18 PM, Tobias S. Josefowitz via dev-security-policy wrote:
> > So then, assuming we don't know, I don't think it would be appropriate
> > to just wish for the best, task the CAs to do it anyway, with
23 matches
Mail list logo
