Apologies for triggering such a controversial discussion. Just to be clear, my
original post was not directed at discrediting any practice of a CA, but rather
to trigger discussion about what is/should be/will be the best option to solve
the issue.
> >> Why not just do the right thing?
> >
On 8/14/2020 2:14 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Fri, Aug 14, 2020 at 10:32 PM Ronald Crane via dev-security-policy
wrote:
Why not just do the right thing?
The domain you send your emails from is, as far as I can tell, at
least as much in breach of Germany's
On 8/14/2020 2:38 PM, Matthias van de Meent via dev-security-policy wrote:
On Fri, 14 Aug 2020, 21:52 Ronald Crane via dev-security-policy, <
dev-security-policy@lists.mozilla.org> wrote:
It could raise legal issues for a CA to refuse to revoke an obvious
phishing domain after notice that it
On Fri, 14 Aug 2020, 21:52 Ronald Crane via dev-security-policy, <
dev-security-policy@lists.mozilla.org> wrote:
> It could raise legal issues for a CA to refuse to revoke an obvious
> phishing domain after notice that it is fraudulent, or at least after
> notice that it's actually being used to
On Fri, Aug 14, 2020 at 10:32 PM Ronald Crane via dev-security-policy
wrote:
> If a CA "conveys" (or "transfers") by not revoking after notice (which
> gives "actual knowledge" that the "specific person" (that is, the legit
> site) is being impersonated), then there seems to be a problem. If a
On 8/14/2020 1:17 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Fri, Aug 14, 2020 at 9:52 PM Ronald Crane via dev-security-policy
wrote:
It could raise legal issues for a CA to refuse to revoke an obvious
phishing domain after notice that it is fraudulent, or at least after
notice
On Fri, Aug 14, 2020 at 9:52 PM Ronald Crane via dev-security-policy
wrote:
>
> It could raise legal issues for a CA to refuse to revoke an obvious
> phishing domain after notice that it is fraudulent, or at least after
> notice that it's actually being used to defraud.
>
> For example, Calif.
It could raise legal issues for a CA to refuse to revoke an obvious
phishing domain after notice that it is fraudulent, or at least after
notice that it's actually being used to defraud.
For example, Calif. Penal Code s.530.5 says:
(d)(2) Every person who, with _actual knowledge_ that the
On Fri, Aug 14, 2020 at 1:53 AM Ronald Crane via dev-security-policy
wrote:
>
> On 8/13/2020 3:18 PM, Tobias S. Josefowitz via dev-security-policy wrote:
> > So then, assuming we don't know, I don't think it would be appropriate
> > to just wish for the best, task the CAs to do it anyway, with
On 8/13/2020 3:18 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 11:48 PM Ronald Crane via dev-security-policy
wrote:
On 8/13/2020 2:25 PM, Tobias S. Josefowitz via dev-security-policy wrote:
Detecting phishing domains by "looking at them as strings" may thus
I agree Eric. I apologize for those words, they’re beneath me and everyone else
who strives for civil debate. It’s a terrible paragraph of text.
- Paul
> On Aug 13, 2020, at 4:09 PM, Eric Mill wrote:
>
> On Thu, Aug 13, 2020 at 10:20 AM Paul Walsh via dev-security-policy
>
On Thu, Aug 13, 2020 at 10:20 AM Paul Walsh via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> "Every domain should be allowed to have a certificate ***regardless of
> intent***.”
>
> They are the most outrageously irresponsible words that I’ve heard in my
> career on the
On Thu, Aug 13, 2020 at 11:48 PM Ronald Crane via dev-security-policy
wrote:
>
> On 8/13/2020 2:25 PM, Tobias S. Josefowitz via dev-security-policy wrote:
> > Detecting phishing domains by "looking at them as strings" may thus be
> > futile, and "blocking obvious phishing domains" may be a not so
On 8/13/2020 2:25 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 10:31 PM Ronald Crane via dev-security-policy
wrote:
[...] Registrars (and CAs) are
in excellent positions to impede the use of phishing domains, since they
hand them out (registrars) or issue
On Thu, Aug 13, 2020 at 10:31 PM Ronald Crane via dev-security-policy
wrote:
>
> [...] Registrars (and CAs) are
> in excellent positions to impede the use of phishing domains, since they
> hand them out (registrars) or issue certificates for them (CAs). [...]
Things are rarely this static. The
On 8/13/2020 1:08 PM, Kurt Roeckx via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 12:43:01PM -0700, Ronald Crane via dev-security-policy
wrote:
I'd argue that domain registrars, CAs, and hosting services _should_ have an
obligation to deny services to obvious phishing domains. [1] (This
On Thu, Aug 13, 2020 at 8:59 PM Paul Walsh wrote:
>
>
> > On Aug 13, 2020, at 11:04 AM, Tobias S. Josefowitz via dev-security-policy
> > wrote:
> >
> > On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy
> > wrote:
> >>
> >> "Every domain should be allowed to have a certificate
On Thu, Aug 13, 2020 at 12:43:01PM -0700, Ronald Crane via dev-security-policy
wrote:
> I'd argue that domain registrars, CAs, and hosting services _should_ have an
> obligation to deny services to obvious phishing domains. [1] (This is
> independent of what (if any) obligations they might
I'd argue that domain registrars, CAs, and hosting services _should_
have an obligation to deny services to obvious phishing domains. [1]
(This is independent of what (if any) obligations they might currently
have.) Phishing continues to be epidemic. It is not enough that some
user agents
Please don't speculate on my opinion just because I won't answer the
question. That's unprofessional.
So act professional! You know it makes sense!
On Thu, Aug 13, 2020 at 8:04 PM Paul Walsh wrote:
> Exactly what I thought - you’re either unable to answer the question
> honestly, or you simply
Exactly what I thought - you’re either unable to answer the question honestly,
or you simply do not care about the consequences that arise from abuse.
> On Aug 13, 2020, at 11:19 AM, Burton wrote:
>
> I'm not going to answer the question because it's not relevant to discussion.
>
> On Thu,
> On Aug 13, 2020, at 11:04 AM, Tobias S. Josefowitz via dev-security-policy
> wrote:
>
> On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy
> wrote:
>>
>> "Every domain should be allowed to have a certificate ***regardless of
>> intent***.”
>>
>> They are the most
I'm not going to answer the question because it's not relevant to
discussion.
On Thu, Aug 13, 2020 at 6:57 PM Paul Walsh wrote:
> Let me try this. Let’s say a report of child abuse is put forward to a
> hosting provider, should they ignore it because they “are not the police”?
> Should
On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy
wrote:
>
> "Every domain should be allowed to have a certificate ***regardless of
> intent***.”
>
> They are the most outrageously irresponsible words that I’ve heard in my
> career on the web since 1996 when I was at AOL, and
Let me try this. Let’s say a report of child abuse is put forward to a hosting
provider, should they ignore it because they “are not the police”? Should
companies like Twitter and Facebook do nothing to reduce the risk of bullying,
misinformation and other bad things? It’s ok to say you think
I stand by the comments I made earlier and it's the correct terminology. A
domain should have a certificate regardless of intent by the user. CAs are
not the police and shouldn't act as one. CAs do have to follow policies if
the certificate is used in illegal activities, misissued, etc but no CA
You’re way off topic.. I purposely didn’t bring up indicators or phishing or
certifying anything. Those things have absolutely nothing to do with my
message. You’re joining dots that don’t exist in my conversation. Rather than
do that, refer only to the words I write - not what I might be
"Every domain should be allowed to have a certificate ***regardless of
intent***.”
They are the most outrageously irresponsible words that I’ve heard in my career
on the web since 1996 when I was at AOL, and sadly, I’ve heard them more than
once. I just can’t get my head around it. To me,
Let's Encrypt hasn't done anything wrong here.
Let's Encrypt has issued the certificate according to the BR requirements
and their own policies.
Every domain should be allowed to have a certificate regardless of intent.
CAs must not be allowed to act as judges.
Remember, all server certificates
It’s actually really simple.
You end up in a position of editorializing. If you will not provide
service for abuse, everyone with a gripe constantly tries to redefine abuse.
Additionally, this is why positive security indicators are clearly on the
way out. In the not too distant future all
[snip]
>> So the question now is what the community intends to do to retain trust
>> in a certificate issuer with such an obvious malpractise enabling
>> phishing sites?
>
> TLS is the wrong layer to address phishing at, and this issue has already
> been discussed extensively on this list.
On Tue, Aug 11, 2020, at 15:20, nathali...--- via dev-security-policy wrote:
> The problem report was answered by Let's Encrpyt with an answer
> indicating that they will continue to issue and hence are not following
> BRG 4.2.1. requiring them to have procedures in place for such High
> Risk
32 matches
Mail list logo