On Fri, Aug 14, 2020 at 9:52 PM Ronald Crane via dev-security-policy
wrote:
>
> It could raise legal issues for a CA to refuse to revoke an obvious
> phishing domain after notice that it is fraudulent, or at least after
> notice that it's actually being used to defraud.
>
> For example, Calif.
On Fri, Aug 14, 2020 at 10:32 PM Ronald Crane via dev-security-policy
wrote:
> If a CA "conveys" (or "transfers") by not revoking after notice (which
> gives "actual knowledge" that the "specific person" (that is, the legit
> site) is being impersonated), then there seems to be a problem. If a
On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy
wrote:
>
> "Every domain should be allowed to have a certificate ***regardless of
> intent***.”
>
> They are the most outrageously irresponsible words that I’ve heard in my
> career on the web since 1996 when I was at AOL, and
On Thu, Aug 13, 2020 at 8:59 PM Paul Walsh wrote:
>
>
> > On Aug 13, 2020, at 11:04 AM, Tobias S. Josefowitz via dev-security-policy
> > wrote:
> >
> > On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy
> > wrote:
> >>
> >>
On Thu, Aug 13, 2020 at 10:31 PM Ronald Crane via dev-security-policy
wrote:
>
> [...] Registrars (and CAs) are
> in excellent positions to impede the use of phishing domains, since they
> hand them out (registrars) or issue certificates for them (CAs). [...]
Things are rarely this static. The
On Thu, Aug 13, 2020 at 11:48 PM Ronald Crane via dev-security-policy
wrote:
>
> On 8/13/2020 2:25 PM, Tobias S. Josefowitz via dev-security-policy wrote:
> > Detecting phishing domains by "looking at them as strings" may thus be
> > futile, and "blocking obvious
On Fri, Aug 14, 2020 at 1:53 AM Ronald Crane via dev-security-policy
wrote:
>
> On 8/13/2020 3:18 PM, Tobias S. Josefowitz via dev-security-policy wrote:
> > So then, assuming we don't know, I don't think it would be appropriate
> > to just wish for the best, task the C
7 matches
Mail list logo
