Zimbabwe "banned from receiving certificates"
190 views
Skip to first unread message
Jan Schaumann
Aug 6, 2021, 6:05:27 PM8/6/21
to dev-secur...@mozilla.org
Hello,
I came across this section on the Wikipedia page for
the .zw ccTLD[1]:
"Currently, Zimbabwean individuals and business
entities are now banned by the Certification Authority
Browser Forum from receiving Extended Validation SSL,
Organization Validation (OV), and Domain Validation
(DV) certificates."
This poorly quoted statement[2] and citation do not
provide any details around why this would be nor
evidence _that_ this is the case.
The only other reference I was able to find was [3],
so I was looking for some clarification from the forum
here:
I understand that a given CA may choose (or be
required to, by whatever jurisdiction it is subject
to) not to issue a cert for a given name or domain,
but is there indeed a CA/B Forum list of restricted
(TL or otherwise) domains?
Thanks for indulging me on this,
-Jan
P.S.: Not being a member of the CA/B Forum, I wasn't
able to post this question there; the overlap with
this mailing list, however, makes me believe the right
folks to answer can likely be found here as well.
My apologies if this is considered off-topic.
[1] https://en.wikipedia.org/wiki/.zw
[2] traced back to, I think,
https://www.techzim.co.zw/2016/09/zimbabwean-websites-insecure-banned-receiving-security-certificates-ssl/
[3] https://www.wiyre.com/list-of-countries-banned-restricted-from-obtaining-ssl-certificates/
I came across this section on the Wikipedia page for
the .zw ccTLD[1]:
"Currently, Zimbabwean individuals and business
entities are now banned by the Certification Authority
Browser Forum from receiving Extended Validation SSL,
Organization Validation (OV), and Domain Validation
(DV) certificates."
This poorly quoted statement[2] and citation do not
provide any details around why this would be nor
evidence _that_ this is the case.
The only other reference I was able to find was [3],
so I was looking for some clarification from the forum
here:
I understand that a given CA may choose (or be
required to, by whatever jurisdiction it is subject
to) not to issue a cert for a given name or domain,
but is there indeed a CA/B Forum list of restricted
(TL or otherwise) domains?
Thanks for indulging me on this,
-Jan
P.S.: Not being a member of the CA/B Forum, I wasn't
able to post this question there; the overlap with
this mailing list, however, makes me believe the right
folks to answer can likely be found here as well.
My apologies if this is considered off-topic.
[1] https://en.wikipedia.org/wiki/.zw
[2] traced back to, I think,
https://www.techzim.co.zw/2016/09/zimbabwean-websites-insecure-banned-receiving-security-certificates-ssl/
[3] https://www.wiyre.com/list-of-countries-banned-restricted-from-obtaining-ssl-certificates/
Rob Stradling
Aug 6, 2021, 6:41:30 PM8/6/21
to Jan Schaumann, dev-secur...@mozilla.org
Publicly-trusted CAs are issuing certs to .zw domains. For some examples, see https://crt.sh/?Identity=ac.zw&exclude=expired.
The CABForum doesn't ban anyone from doing business with anyone else. https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v2.3.pdf makes it clear that
"The Forum has no regulatory or industry powers over its members or others."
It's up to each individual CA to draw its own conclusion about who it will or won't, and who it legally can or can't, do business with.
From: 'Jan Schaumann' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: 06 August 2021 22:21
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Zimbabwe "banned from receiving certificates"
Sent: 06 August 2021 22:21
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Zimbabwe "banned from receiving certificates"
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
[2] traced back to, I think,
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.techzim.co.zw%2F2016%2F09%2Fzimbabwean-websites-insecure-banned-receiving-security-certificates-ssl%2F&data=04%7C01%7Crob%40sectigo.com%7C8fe3defde77c461c406708d959264d2a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637638843322148791%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3u4GtRbZKq0D4hVvGWQlW9%2FGv3zuMzEb2NnHRG7%2FZ3k%3D&reserved=0
[3] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wiyre.com%2Flist-of-countries-banned-restricted-from-obtaining-ssl-certificates%2F&data=04%7C01%7Crob%40sectigo.com%7C8fe3defde77c461c406708d959264d2a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637638843322148791%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Kiyb6jfHVHJ4R16QfW0WHf03qzZ0SIA5Fd1gV4VauiQ%3D&reserved=0
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2F20210806212111.GA5125%2540netmeister.org&data=04%7C01%7Crob%40sectigo.com%7C8fe3defde77c461c406708d959264d2a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637638843322158748%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XsYvRS8Mte71VBA3on%2FacxEWXT%2BJpFunUNbY17ilhh0%3D&reserved=0.
[3] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wiyre.com%2Flist-of-countries-banned-restricted-from-obtaining-ssl-certificates%2F&data=04%7C01%7Crob%40sectigo.com%7C8fe3defde77c461c406708d959264d2a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637638843322148791%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Kiyb6jfHVHJ4R16QfW0WHf03qzZ0SIA5Fd1gV4VauiQ%3D&reserved=0
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2F20210806212111.GA5125%2540netmeister.org&data=04%7C01%7Crob%40sectigo.com%7C8fe3defde77c461c406708d959264d2a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637638843322158748%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XsYvRS8Mte71VBA3on%2FacxEWXT%2BJpFunUNbY17ilhh0%3D&reserved=0.
Ryan Sleevi
Aug 6, 2021, 7:29:42 PM8/6/21
to Jan Schaumann, dev-secur...@mozilla.org
On Fri, Aug 6, 2021 at 3:05 PM 'Jan Schaumann' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:
The only other reference I was able to find was [3],
but is there indeed a CA/B Forum list of restricted
(TL or otherwise) domains?
No. However, there can be practical limitations derived from the requirements. For example, certain certificates require information to be confirmed with an authoritative government source (as opposed to a secondary aggregator, which would just be shifting validation responsibility), so it’s possible for some jurisdictions to restrict access to third-parties (like CAs) to such sources.
But there’s nothing explicit.
P.S.: Not being a member of the CA/B Forum, I wasn't
able to post this question there; the overlap with
this mailing list, however, makes me believe the right
folks to answer can likely be found here as well.
My apologies if this is considered off-topic.
FWIW, ques...@cabforum.org exists exactly for this, which will be routed by the chair to the appropriate chartered work group and provide a Forum-approved response.
The downside is the questions and answers aren’t public, and you only see the answer that could pass consensus, which may or may not cover all the nuance.
Jan Schaumann
Aug 6, 2021, 9:23:48 PM8/6/21
to Ryan Sleevi, Rob Stradling, dev-secur...@mozilla.org
Ryan Sleevi <ry...@sleevi.com> wrote:
> On Fri, Aug 6, 2021 at 3:05 PM 'Jan Schaumann' via
> dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:
>
> > The only other reference I was able to find was [3],
>
>
> https://youtube.com/watch?v=YWdD206eSv0 ?
> On Fri, Aug 6, 2021 at 3:05 PM 'Jan Schaumann' via
> dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:
>
> > The only other reference I was able to find was [3],
>
>
Indeed.
Thanks, Ryan and Rob, for your replies.
Cool, noted.
-Jan
Reply all
Reply to author
Forward
0 new messages