Dear Wayne,

   Our two customers requested to use original CSR to issue two shorter 
validity SSL certificates. By the re-issuance function of a program, to insert 
original applications data, our SSL RA Officers checked the addresses but they 
forgot to add L in Subject DN. So there are two SSL Certificates as below lack 
of L or S in Subject DN.
 
1.Serial Number:20BD5F0B51809E44C0718AB133CA5E78 CN=*.sercomm.com, 
O=中磊電子股份有限公司, C=TW or https://crt.sh/?id=508868868
 
2.Serial Number:3CE33A6D8899A211FB2D296D9E0B69CB CN=app3.uupon.tw, 
O=點鑽整合行銷股份有限公司, C=TW or https://crt.sh/?id=512788172
 
  Our researchers of  Telecommunication Laboratories of Chunghwa Telecom found 
above issue on June 11 and told our SSL RA Officers to contact the customers. 
When I was back to my office after the travlelling from England and disussed 
with my colleauges, I mailed the situation and the plan to Wayne and  Kathleen 
on June 15.

  This certificate of https://crt.sh/?id=512788172 was revoked on June 11 soon.
 
  We have re-issued new certificates for two customers as below:
 
42664EEA106F2CBF736ADBF949D4218F CN=*.sercomm.com, O=中磊電子股份有限公司, L=臺北市, C=TW or 
https://crt.sh/?id=519100183
 
100079C87402938109A5FEC040C5BE0F CN=app3.uupon.tw, O=點鑽整合行銷股份有限公司, L=臺北市, C=TW 
or https://crt.sh/?id=549539943
  
  After our customer installed a new certificate (https://crt.sh/?id=519100183) 
in their web servers, network equipments and firewall, The certificate of 
https://crt.sh/?id=508868868 was revoked on June 21,.
 
  The checking function of Subject DN about either L or S  are online June 22.  
I mailed to Wayne and  Kathleen on June 22.
 
  We confirm that the problem has been solved and will not happen in the 
future. 
 
   As we have discussed in CABF, Taiwan is a small country without 
state/provinces. We follow X.500, X.520 and Taiwan’s government’s DIT for the 
certificates. We can unique identify the subject without state/provinces and 
locality in DN for a central government agency or a company. (For example, In 
Taiwan's Company Act, 
https://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=J0080001, Article 18  No 
company may use a corporate name which is identical with that of another 
company. ). We really receive some subscribers of central government agency or 
a company asked why your CA adds L in the subject DN of an SSL certificate. We 
explain that we follow the BR about either L or S should be in Subject DN now.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to