Re: Organization info in certs not being properly recognized byFirefox

Mon, 27 Oct 2014 11:00:07 -0700 

On 27/10/14 08:16, Ryan Sleevi wrote: <snip> If you're trusting
certificates to assert information about either the identity of the
entity behind the key or that the CA has done due diligence, well,
you're using certificates for something they're neither intended for
nor well suited for, so you'll have a bad time.


    In May 2012, when this was last discussed, that was a reasonable
position. There have been some changes in standard CA practice since then.

    Originally, the CA/Browser Forum was only concerned with EV certs.
Back in May 2012 the CA/Browser Forum was discussing the Baseline
Guidelines, but they were not in effect yet.  So, in May 2012, it was
reasonable to say that extracting reliable Organization and Location
information from non-EV certs was an unreliable process.

    In July 2012, the CA/Browser Forum Baseline Guidelines for
all certs, not just EV, took effect.  Once those came out,
CAs started making a clear distinction between DV, OV, and EV
certs.  Previously, DV vs OV had only been an informal distinction.
Two years later, many issued certs (soon I'll know how many)
bear OIDs which clearly identify them as OV certs, with the CA
standing behind the Organization and Location information.

   It's appropriate for browsers to show that new information with
users.  In the browser, there are two issues: 1) detecting OV
certs, which requires a list of per-CA OIDs, and 2) displaying
something in the GUI.

                        John Nagle
                        SiteTruth

On 10/27/2014 01:58 AM, Rob Stradling wrote:

Ryan, you are of course free to reach your own conclusions about what
 certs are / aren't well suited for.

However, I'm utterly baffled by your claim that certificates aren't
intended to "assert information about...the identity of the entity
behind the key".  That claim is true for DV, but it's clearly false
for EV and OV.

As for due diligence, BRs Section 11.2 clearly says that CAs are
required to verify organization info in accordance with Section 11.2
and as documented in their CP/CPS.


_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy























					Reply via email to