On Wednesday, August 9, 2017 at 11:59:42 PM UTC-4, Lee wrote: > On 8/9/17, Eric Mill <e...@konklone.com> wrote: > > On Wed, Aug 9, 2017 at 4:28 PM, Lee <ler...@gmail.com> wrote: > > > >> On 8/9/17, Eric Mill via dev-security-policy > >> <dev-security-policy@lists.mozilla.org> wrote: > >> > On Tue, Aug 8, 2017 at 5:53 PM, identrust--- via dev-security-policy < > >> > dev-security-policy@lists.mozilla.org> wrote: > >> > > >> >> On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg > >> wrote: > >> >> > > On Aug 8, 2017, at 10:29, identrust--- via dev-security-policy < > >> >> dev-security-policy@lists.mozilla.org> wrote: > >> >> > > > >> >> > > On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg > >> >> wrote: > >> >> > >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP > >> >> responder URL that has a HTTPS URI scheme. This is not valid, the OCSP > >> >> responder URI is required to have the plaintext HTTP scheme according > >> >> to > >> >> Baseline Requirements section 7.1.2.2(c). > >> >> > >> > >> >> > >> Here’s the list of certificates: https://misissued.com/batch/4/ > >> >> > >> > >> >> > >> Jonathan > >> >> > > > >> >> > > IdenTrust had previously interpreted HTTP to be inclusive of HTTPS > >> in > >> >> this > >> >> > > context. That being said, we have altered our profiles for > >> >> certificates > >> >> > > issued under this Sub CA to include only HTTP OCSP URLs. All > >> >> certificates > >> >> > > issued going forward will contain an HTTP OCSP URL. We will also > >> >> examine all > >> >> > > other sub CA to ensure only HTTP OCSP URLs are included. Thank > >> >> > > you > >> >> for giving > >> >> > > us an opportunity to address this with the community > >> >> > > >> >> > Thanks for the update. > >> >> > > >> >> > Can you also clarify why the subject organizationName is "U.S. > >> >> Government” for all of these certificates, despite the other subject > >> >> fields > >> >> indicating organizations that are not a component of the US > >> >> Government? > >> >> > > >> >> > Jonathan > >> >> > >> >> Yes, > >> >> IdenTrust ACES SSL Certificates are issued in accordance with the ACES > >> >> certificate policy defined by U.S. General Service Administration ( > >> >> http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/docum > >> >> ents/ACES-CP-v3-2_signed_05122017.pdf) and the GSA approved IdenTrust > >> CPS > >> >> (https://secure.identrust.com/certificates/policy/aces/IdenT > >> >> rust_ACES_CPS_v5.1_20161110.pdf) > >> >> These ACES SSL certificates are issued to either U.S. Government > >> agencies > >> >> and/or their sub-contractors in support of government > >> >> programs\projects. > >> >> The > >> >> CP requires an approved CA, such as IdenTrust, to identify U.S. > >> Government > >> >> in > >> >> subject organizationName along with other applicable organizations > >> >> (e.g. > >> >> sub-contractors, or local government agency, etc...). > >> >> > >> > > >> > If that's the case, I would expect each certificate to be > >> > authenticating > >> > hostnames that are used solely to provide such services to the U.S. > >> > Government. That doesn't appear to be the case with these. > >> > > >> > For example, one of them is for the homepage for a service provider: > >> > www.mudiaminc.com > >> > >> What am I doing wrong? goto https://www.mudiaminc.com/ > >> check the cert and it says > >> Issued To > >> Common Name (CN) *.opentransfer.com > >> Organization (O) ECOMMERCE, INC. > >> > > > > You're not doing anything wrong, that hostname is just not using that > > certificate at this time, at least not to public users. But issuance is > > what matters here. > > > > Given the capitalization of the common name, and the > > organizationalUnitName, the certificate was clearly issued to the same > > company. > > > > > >> And one of them is for what appears to be a state government revenue > >> > service's VPN: vpn.revenue.louisiana.gov > >> > >> I see that one - goto https://vpn.revenue.louisiana.gov/ > >> check the cert and it says > >> Issued To > >> Common Name (CN) Vpn.revenue.louisiana.gov > >> Organization (O) U.S. Government > >> > >> > (So it's clear, "U.S. Government" only refers to the federal > >> > government, > >> > not state/local/tribal governments.) > >> > > >> > I personally (and to be clear, this is in my individual capacity and I > >> > am > >> > not representing my employer) think these are invalid > >> > organizationNames, > >> > constitute misissuance, and that Identrust should be using the "U.S. > >> > Government" only for hostnames providing services operated exclusively > >> > on > >> > behalf of the federal government. > >> > >> playing devils' advocate: how do you know that > >> https://vpn.revenue.louisiana.gov/ wasn't set up in collaboration with > >> the IRS or some other branch of the U.S. Government? > >> > > > > That wouldn't meet the definition that Identrust said in their email above, > > which is that certificates are "issued to either U.S. Government agencies > > if it was a cooperative project, it seems possible/reasonable that the > USG ordered the certs. > > > and/or their sub-contractors in support of government programs\projects". > > Maybe there's some very novel arrangement I'm not familiar with where the > > State of Louisiana can act as a subcontractor to the federal government, > > but in both of these cases, the burden is on Identrust to identify how it > > could have been appropriate to put "U.S. Government" as the > > organizationName for these certificates. > > +1 > identr...@gmail.com has been cc'ed on the thread; is that enough or is > a formal request for an explanation required? > > > For the other 3 in the batch, there are more plausible reasons why the > > hostname might exclusively be for U.S. Government purposes - > > > > * networx-billing-pricer.nhc.noblis.org - In support of the Noblis Networx > > contract > > * sslacesvalid.identrust.com - In support of the overall ACES CA > > * smbf1.smbisao.com - Related to a Small and Medium Business (SMB)-oriented > > Information Sharing and Analysis Organization Initiative (iSAO), related to > > a DHS initiative: https://www.icf.com/-/media/files/icf/white-pape > > rs/2015/response_to_dhs_public_comment_information_sharing.ashx > > > > Although it is also quite plausible that those certificates are also used > > for non-USG-affiliated purposes. > > > > Only Identrust can explain it for certain, but for at least the two I > > called out, I think it is reasonable to presume their organizationName is > > inaccurate until shown otherwise. > > Which means the 24 hr. countdown clock to revocation should have > already started? > That seems a bit much.. what's a reasonable period of time to wait for > an explanation from Identrust for why these certs don't need to be > revoked? 5 days? longer? > > Lee
We acknowledge seeing this issue and are looking into it. Details will be supplied as soon we can but not later that today’s end of business day. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy