[cabfpub] Ballot SC6 - Revocation Timeline Extension

Wayne Thayer wthayer at mozilla.com
Thu Aug 16 23:01:55 UTC 2018

On Thu, Aug 16, 2018 at 3:10 PM Geoff Keating <geoffk at apple.com> wrote:

> I see we’re changing "The CA determines that any of the information
> appearing in the Certificate is inaccurate or misleading” to remove “or
> misleading”.
> With that change, is there still an equivalent for non-wildcard
> certificates of the "a Wildcard Certificate has been used to authenticate a
> fraudulently misleading subordinate Fully-Qualified Domain Name”
> requirement?

No, I don't believe there is any direct equivalent for non-wildcard names,
although there are other reasons that may apply such as "The CA obtains
evidence that the Certificate was misused" and "The CA is made aware that a
Subscriber has violated one or more of its material obligations under the
Subscriber Agreement or Terms of Use".

The reasoning behind removing "or misleading" was the overly subjective
nature of the term and the potential to use this clause for censorship as
discussed at length in relation to the Stripe, Inc (Kentucky)

 This was intended to cover cases where the subordinate name is made to
> look like someone else’s domain or otherwise suspicious, but it applies
> equally to non-wildcard certificates—I noticed these just now from CT:
> url: validation-apple.sytes.net
> url: manageaccountlogin.serveirc.com
> url: iockedaccount-veri.servehttp.com
> url: cancel-paypalpaymnt.serveirc.com
> url: apple1id-secure.servehttp.com
> url: paypal-loginaccount.serveirc.com
> I will be raising a more general case with the CA involved about the use
> of stop words, but some will always need to be revoked after issuance when
> it becomes apparent exactly who ‘manageaccountlogin’ is impersonating, for
> example.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180816/664e1c0d/attachment-0003.html>

More information about the Public mailing list