[cabfpub] Directory of abuse reporting contacts for CAs?
Wayne Thayer
wthayer at mozilla.com
Tue Feb 20 15:51:56 UTC 2018
Mozilla ha published a list of problem reporting mechanisms (mostly email
addresses) for all root CAs in our program. It is the first link under
'Information for the Public' at
https://wiki.mozilla.org/CA#Information_for_the_Public
Wayne
On Mon, Feb 19, 2018 at 4:05 PM, Kirk Hall via Public <public at cabforum.org>
wrote:
> John and Peter – this issue has actually come up recently – I think you
> have a very good idea.
>
>
>
> We’ll add to our agenda for the next Forum Teleconference call. Thanks.
>
>
>
> Kirk
>
>
>
> *From:* John LaCour [mailto:jal at phishlabs.com]
> *Sent:* Monday, February 19, 2018 2:45 PM
> *To:* questions at cabforum.org
> *Cc:* peter at apwg.org
> *Subject:* Directory of abuse reporting contacts for CAs?
>
>
>
> Dear CA Representative:
>
>
>
> The CA/Browser Forum’s Baseline Requirements Section 4.9.3 says in part:
>
>
>
> “The CA SHALL provide Subscribers, Relying Parties, Application Software
> Suppliers, and other third parties with clear instructions for reporting
> suspected Private Key Compromise, Certificate misuse, or other types of
> fraud, compromise, misuse, inappropriate conduct, or any other matter
> related to Certificates. The CA SHALL publicly disclose the instructions
> through a readily accessible online means.”
>
>
>
> However, we sometimes find it difficult to instructions on how and where
> to submit reports to issuing CAs to request certification revocation due to
> malicious use.
>
>
>
> Would it be possible for the Forum and/or the browser community to create
> a list of reporting email addresses for each CA in the browser root
> programs, and post the list to an obvious page on the Forum’s website, and
> maybe also on the CCADB website (Resources tab)?
>
>
>
> If for whatever reason, the Forum decides not to make a consolidated
> listing available as a public resource, we would be grateful if the CAs
> would provide this information directly so that we may provide a
> consolidated list to the anti-phishing community via the Anti-Phishing
> Working Group (APWG).
>
>
>
> Also, we would like to make you aware of an APWG program, AmDoS (1) ,
> which facilitates the suspension of malicious domain names. The program
> introduces a vetting program for reporters to submit takedown requests to
> participating domain registries. This may potentially be a useful model to
> facilitate revocation requests between the anti-phishing community and CAs.
> Better, it is built and working and ready to update for the Forum’s needs.
>
>
>
> We thank you in advance for your help in this effort. We look forward to
> collaborating with the Forum soon.
>
>
>
> Sincerely,
>
> John LaCour
>
> CTO, PhishLabs
>
> jal at phishlabs.com
>
>
>
> Peter Cassidy
>
> Secretary General, APWG
>
> pcassidy at apwg.org
>
>
>
> (1) https://www.antiphishing.org/apwg-news-center/amdos/
>
>
>
>
>
>
>
> --
>
> John LaCour
>
> Founder and Chief Technology Officer
>
> M: +1.415.425.5646 <(415)%20425-5646>
>
> jal at phishlabs.com
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180220/21e448fc/attachment-0003.html>
More information about the Public
mailing list