Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

2020-08-14 Thread Ronald Crane via dev-security-policy
It could raise legal issues for a CA to refuse to revoke an obvious phishing domain after notice that it is fraudulent, or at least after notice that it's actually being used to defraud. For example, Calif. Penal Code s.530.5 says: (d)(2) Every person who, with _actual knowledge_ that the

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

2020-08-14 Thread Tobias S. Josefowitz via dev-security-policy
On Fri, Aug 14, 2020 at 9:52 PM Ronald Crane via dev-security-policy wrote: > > It could raise legal issues for a CA to refuse to revoke an obvious > phishing domain after notice that it is fraudulent, or at least after > notice that it's actually being used to defraud. > > For example, Calif.

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

2020-08-14 Thread Ronald Crane via dev-security-policy
On 8/14/2020 1:17 PM, Tobias S. Josefowitz via dev-security-policy wrote: On Fri, Aug 14, 2020 at 9:52 PM Ronald Crane via dev-security-policy wrote: It could raise legal issues for a CA to refuse to revoke an obvious phishing domain after notice that it is fraudulent, or at least after notice

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

2020-08-14 Thread Tobias S. Josefowitz via dev-security-policy
On Fri, Aug 14, 2020 at 10:32 PM Ronald Crane via dev-security-policy wrote: > If a CA "conveys" (or "transfers") by not revoking after notice (which > gives "actual knowledge" that the "specific person" (that is, the legit > site) is being impersonated), then there seems to be a problem. If a

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

2020-08-14 Thread Matthias van de Meent via dev-security-policy
On Fri, 14 Aug 2020, 21:52 Ronald Crane via dev-security-policy, < dev-security-policy@lists.mozilla.org> wrote: > It could raise legal issues for a CA to refuse to revoke an obvious > phishing domain after notice that it is fraudulent, or at least after > notice that it's actually being used to

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

2020-08-14 Thread Ronald Crane via dev-security-policy
On 8/14/2020 2:14 PM, Tobias S. Josefowitz via dev-security-policy wrote: On Fri, Aug 14, 2020 at 10:32 PM Ronald Crane via dev-security-policy wrote: Why not just do the right thing? The domain you send your emails from is, as far as I can tell, at least as much in breach of Germany's

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

2020-08-14 Thread Ronald Crane via dev-security-policy
On 8/14/2020 2:38 PM, Matthias van de Meent via dev-security-policy wrote: On Fri, 14 Aug 2020, 21:52 Ronald Crane via dev-security-policy, < dev-security-policy@lists.mozilla.org> wrote: It could raise legal issues for a CA to refuse to revoke an obvious phishing domain after notice that it