On Wed, Aug 9, 2017 at 4:28 PM, Lee <ler...@gmail.com> wrote:

> On 8/9/17, Eric Mill via dev-security-policy
> <dev-security-policy@lists.mozilla.org> wrote:
> > On Tue, Aug 8, 2017 at 5:53 PM, identrust--- via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
> >
> >> On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg
> wrote:
> >> > > On Aug 8, 2017, at 10:29, identrust--- via dev-security-policy <
> >> dev-security-policy@lists.mozilla.org> wrote:
> >> > >
> >> > > On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg
> >> wrote:
> >> > >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP
> >> responder URL that has a HTTPS URI scheme. This is not valid, the OCSP
> >> responder URI is required to have the plaintext HTTP scheme according to
> >> Baseline Requirements section 7.1.2.2(c).
> >> > >>
> >> > >> Here’s the list of certificates: https://misissued.com/batch/4/
> >> > >>
> >> > >> Jonathan
> >> > >
> >> > > IdenTrust had previously interpreted HTTP to be inclusive of HTTPS
> in
> >> this
> >> > > context.  That being said, we have altered our profiles for
> >> certificates
> >> > > issued under this Sub CA to include only HTTP OCSP URLs.  All
> >> certificates
> >> > > issued going forward will contain an HTTP OCSP URL.  We will also
> >> examine all
> >> > > other sub CA to ensure only HTTP OCSP URLs are included.  Thank you
> >> for giving
> >> > > us an opportunity to address this with the community
> >> >
> >> > Thanks for the update.
> >> >
> >> > Can you also clarify why the subject organizationName is "U.S.
> >> Government” for all of these certificates, despite the other subject
> >> fields
> >> indicating organizations that are not a component of the US Government?
> >> >
> >> > Jonathan
> >>
> >> Yes,
> >> IdenTrust ACES SSL Certificates are issued in accordance with the ACES
> >> certificate policy defined by U.S. General Service Administration (
> >> http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/docum
> >> ents/ACES-CP-v3-2_signed_05122017.pdf) and the GSA approved IdenTrust
> CPS
> >> (https://secure.identrust.com/certificates/policy/aces/IdenT
> >> rust_ACES_CPS_v5.1_20161110.pdf)
> >> These ACES SSL certificates are issued to either U.S. Government
> agencies
> >> and/or their sub-contractors in support of government programs\projects.
> >> The
> >> CP requires an approved CA, such as IdenTrust, to identify U.S.
> Government
> >> in
> >> subject organizationName along with other applicable organizations (e.g.
> >> sub-contractors, or local government agency, etc...).
> >>
> >
> > If that's the case, I would expect each certificate to be authenticating
> > hostnames that are used solely to provide such services to the U.S.
> > Government. That doesn't appear to be the case with these.
> >
> > For example, one of them is for the homepage for a service provider:
> > www.mudiaminc.com
>
> What am I doing wrong?  goto https://www.mudiaminc.com/
> check the cert and it says
> Issued To
> Common Name (CN)    *.opentransfer.com
> Organization (O)    ECOMMERCE, INC.
>

You're not doing anything wrong, that hostname is just not using that
certificate at this time, at least not to public users. But issuance is
what matters here.

Given the capitalization of the common name, and the
organizationalUnitName, the certificate was clearly issued to the same
company.


> And one of them is for what appears to be a state government revenue
> > service's VPN: vpn.revenue.louisiana.gov
>
> I see that one - goto https://vpn.revenue.louisiana.gov/
> check the cert and it says
> Issued To
> Common Name (CN)    Vpn.revenue.louisiana.gov
> Organization (O)    U.S. Government
>
> > (So it's clear, "U.S. Government" only refers to the federal government,
> > not state/local/tribal governments.)
> >
> > I personally (and to be clear, this is in my individual capacity and I am
> > not representing my employer) think these are invalid organizationNames,
> > constitute misissuance, and that Identrust should be using the "U.S.
> > Government" only for hostnames providing services operated exclusively on
> > behalf of the federal government.
>
> playing devils' advocate: how do you know that
> https://vpn.revenue.louisiana.gov/ wasn't set up in collaboration with
> the IRS or some other branch of the U.S. Government?
>

That wouldn't meet the definition that Identrust said in their email above,
which is that certificates are "issued to either U.S. Government agencies
and/or their sub-contractors in support of government programs\projects".
Maybe there's some very novel arrangement I'm not familiar with where the
State of Louisiana can act as a subcontractor to the federal government,
but in both of these cases, the burden is on Identrust to identify how it
could have been appropriate to put "U.S. Government" as the
organizationName for these certificates.

For the other 3 in the batch, there are more plausible reasons why the
hostname might exclusively be for U.S. Government purposes -

* networx-billing-pricer.nhc.noblis.org - In support of the Noblis Networx
contract
* sslacesvalid.identrust.com - In support of the overall ACES CA
* smbf1.smbisao.com - Related to a Small and Medium Business (SMB)-oriented
Information Sharing and Analysis Organization Initiative (iSAO), related to
a DHS initiative: https://www.icf.com/-/media/files/icf/white-pape
rs/2015/response_to_dhs_public_comment_information_sharing.ashx

Although it is also quite plausible that those certificates are also used
for non-USG-affiliated purposes.

Only Identrust can explain it for certain, but for at least the two I
called out, I think it is reasonable to presume their organizationName is
inaccurate until shown otherwise.

-- Eric


>
> Lee
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to