On Wed, Feb 28, 2018 at 9:37 AM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > Once we were alerted, the team kicked > off a debate that I wanted to bring to the CAB Forum. Basically, our > position is that resellers do not constitute subscribers under the Baseline > Requirement's definitions (Section 1.6.1). As such, we needed to confirm > that either the key was compromised or that they revocation was authorized > by the domain holder (the subscriber) prior to revoking the certificate. The > certificates were not alleged as compromised at that time.
> This raises a question about the MDSP policy and CAB Forum requirements. Who > is the subscriber in the reseller relation? We believe this to be the key > holder. However, the language is unclear. I think we followed the letter and > spirit of the BRs here, but I'd like feedback, perhaps leading to a ballot > that clarifies the subscriber in a reseller relationship. For certs with subject identity information (commonly called IV, OV, and EV certs), there is no question about the subscriber. The Subscriber is the entity identified in the subject: "The Subject is either the Subscriber or a device under the control and operation of the Subscriber." For certificates without subject identity information (DV certificates), the certificate does not list the subscriber. However the CA clearly knows the subscriber, as the subscriber is the "natural person or Legal Entity to whom a Certificate is issued and who is legally bound by a Subscriber Agreement or Terms of Use" In some cases the "reseller" might be the subscriber if the reseller is a hosting company and is the one that accepts the subscriber agreement but in the traditional reseller model their customer is the subscriber as the reseller's customer is the one accepting the subscriber agreement. Given that DigiCert appears to have contact information for the Trustico customers, that suggests that the Trustico customer is likely the subscriber, but looking at IV/OV/EV certificates (if any) should tell for sure. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy