On Tue, Aug 8, 2017 at 5:53 PM, identrust--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg wrote:
> > > On Aug 8, 2017, at 10:29, identrust--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> > >
> > > On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg
> wrote:
> > >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP
> responder URL that has a HTTPS URI scheme. This is not valid, the OCSP
> responder URI is required to have the plaintext HTTP scheme according to
> Baseline Requirements section 7.1.2.2(c).
> > >>
> > >> Here’s the list of certificates: https://misissued.com/batch/4/
> > >>
> > >> Jonathan
> > >
> > > IdenTrust had previously interpreted HTTP to be inclusive of HTTPS in
> this
> > > context.  That being said, we have altered our profiles for
> certificates
> > > issued under this Sub CA to include only HTTP OCSP URLs.  All
> certificates
> > > issued going forward will contain an HTTP OCSP URL.  We will also
> examine all
> > > other sub CA to ensure only HTTP OCSP URLs are included.  Thank you
> for giving
> > > us an opportunity to address this with the community
> >
> > Thanks for the update.
> >
> > Can you also clarify why the subject organizationName is "U.S.
> Government” for all of these certificates, despite the other subject fields
> indicating organizations that are not a component of the US Government?
> >
> > Jonathan
>
> Yes,
> IdenTrust ACES SSL Certificates are issued in accordance with the ACES
> certificate policy defined by U.S. General Service Administration (
> http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/docum
> ents/ACES-CP-v3-2_signed_05122017.pdf) and the GSA approved IdenTrust CPS
> (https://secure.identrust.com/certificates/policy/aces/IdenT
> rust_ACES_CPS_v5.1_20161110.pdf)
> These ACES SSL certificates are issued to either U.S. Government agencies
> and/or their sub-contractors in support of government programs\projects.
> The
> CP requires an approved CA, such as IdenTrust, to identify U.S. Government
> in
> subject organizationName along with other applicable organizations (e.g.
> sub-contractors, or local government agency, etc...).
>

If that's the case, I would expect each certificate to be authenticating
hostnames that are used solely to provide such services to the U.S.
Government. That doesn't appear to be the case with these.

For example, one of them is for the homepage for a service provider:
www.mudiaminc.com

And one of them is for what appears to be a state government revenue
service's VPN: vpn.revenue.louisiana.gov

(So it's clear, "U.S. Government" only refers to the federal government,
not state/local/tribal governments.)

I personally (and to be clear, this is in my individual capacity and I am
not representing my employer) think these are invalid organizationNames,
constitute misissuance, and that Identrust should be using the "U.S.
Government" only for hostnames providing services operated exclusively on
behalf of the federal government.

-- Eric



> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to