[Servercert-wg] [cabfpub] Ballot SC6 - Revocation Timeline Extension

Wayne Thayer wthayer at mozilla.com
Thu Aug 16 16:01:55 MST 2018


On Thu, Aug 16, 2018 at 3:10 PM Geoff Keating <geoffk at apple.com> wrote:

> I see we’re changing "The CA determines that any of the information
> appearing in the Certificate is inaccurate or misleading” to remove “or
> misleading”.
>
> With that change, is there still an equivalent for non-wildcard
> certificates of the "a Wildcard Certificate has been used to authenticate a
> fraudulently misleading subordinate Fully-Qualified Domain Name”
> requirement?
>

No, I don't believe there is any direct equivalent for non-wildcard names,
although there are other reasons that may apply such as "The CA obtains
evidence that the Certificate was misused" and "The CA is made aware that a
Subscriber has violated one or more of its material obligations under the
Subscriber Agreement or Terms of Use".

The reasoning behind removing "or misleading" was the overly subjective
nature of the term and the potential to use this clause for censorship as
discussed at length in relation to the Stripe, Inc (Kentucky)
demonstrations:
https://groups.google.com/d/msg/mozilla.dev.security.policy/NjMmyA6MxN0/asxTGD3dCAAJ

 This was intended to cover cases where the subordinate name is made to
> look like someone else’s domain or otherwise suspicious, but it applies
> equally to non-wildcard certificates—I noticed these just now from CT:
>
> url: validation-apple.sytes.net
> url: manageaccountlogin.serveirc.com
> url: iockedaccount-veri.servehttp.com
> url: cancel-paypalpaymnt.serveirc.com
> url: apple1id-secure.servehttp.com
> url: paypal-loginaccount.serveirc.com
>
> I will be raising a more general case with the CA involved about the use
> of stop words, but some will always need to be revoked after issuance when
> it becomes apparent exactly who ‘manageaccountlogin’ is impersonating, for
> example.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180816/664e1c0d/attachment.html>


More information about the Servercert-wg mailing list