Comment by belorn
11 years ago
What kind of abuse where you thinking about? If the domain is hijacked, you simply repossess the domain and request a new certificate and the old one is revoked.
11 years ago
What kind of abuse where you thinking about? If the domain is hijacked, you simply repossess the domain and request a new certificate and the old one is revoked.
As in, revoking a cert for a known C&C box, or a confirmed spammer, confirmed box serving an exploitkit, confirmed phishing domain (such as my-apple-ikloud-verify.foo)
Basically, my assumption is they won't want to be providing certs to known bad actors. So I'm curious who is going to own the abuse handling for the CA.
Those issues are in theory handled by taking down the people who commits it, and in practice by taking down the domain names, since those normally has been registered using false credentials. One can hope/assume that this system will automatically revoke domains that expire or get removed.
Is that really something a SSL CA should be responsible for? I'd argue it isn't. An SSL certificate is proof of identity (and even that only in a very limited sense), not of legitimacy.
No reason bad actors can't be encrypted on the wire just like all the other actors.