On Sat, 29 Dec 2018 16:32:46 -0800 Peter Bowen via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Consider the following cases: > > - A company grows and moves to larger office space down the street. > It turns out that the new office is in a different city even though > the move was only two blocks away. The accounting department sends > the CA a move notice so the CA sends invoices to the new address. > Does this mean the CA has to revoke all existing certificates in 5 > days? If the certificates have this now useless address in them, then sure, they're now wrong. Leading to two questions that have awkward answers for CAs and my present employer: What kind of idiot would put irrelevant stuff in the certificate and pay extra to do so? I will also note here that it's not uncommon to give a companies "legal" address (and even other "legal" details) that have little resemblance to reality since they were chosen for tax efficiency or to protect a Person with Significant Control from the lawful authority of the country in which business is actually done. My previous employer had a whole lot of certificates which gave the address of a law firm on a small nominally independent island, they're a large international company and do almost no business on that island, but they're legally incorporated there and so that's what they decided to write on the certificates, of course no actual users check or care. This has a useful effect in "office move" scenarios because the legal address does not change. But if you didn't write it at all then you wouldn't need to care either. > - Widget LLC is a startup with widgetco.example. They want to take > investment so they change to a C-corp and become Widget, Inc. Widget > Inc now is the registrant for widgetco.example. Does this now trigger > the 5 day rule? > - Same example as above, but the company doesn't remember to update > the domain registration. It therefore is invalid, as it points to a > non-existence entity. Does this trigger the 5 day rule? It would matter which of the Ten Blessed Methods was used, in some (most?) of the Methods the legal name of the domain registrant is irrelevant and may never be known to the CA. Where the CA is confident of issuance only because of a relationship to the legal registrant, a change in registrant could indeed need urgent action by somebody. > - The IETF publishes a new RFC that "Updates: 5280 > <https://tools.ietf.org/html/rfc5280>". It removes a previously valid > feature in certificates. Do all certificates using this feature need > to be revoked within 5 days? > > - The IETF publishes a new RFC that "Updates: 5280 > <https://tools.ietf.org/html/rfc5280>". It says it update 5280 as > follows: The IETF is not a member organisation. All of us can and should participate. I know all the major browser vendors have employees who (on or off the clock) are IETF participants, and I hope that at least some of the CAs likewise have participants. If a CA believes that their perspective is lacking they are, of course, free to assign one or more personnel to track relevant work and even to pay to fly people out to the periodic physical instantiation of the IETF. If an IETF working group is updating RFC 5280 anybody - and I mean anybody you don't even need to do so much as subscribe to a mailing list first - can email that working group and point out a problem like "Oh, if you make this change it's disruptive to our business, so please don't do that without a suitable justification". You are very likely to be able to achieve the IETF's requirement of "rough consensus" to avoid changes that are needlessly disruptive. More importantly IETF changes are often flagged months or years in advance. In reality I would expect you'd see a Mozilla routine communication asking CAs about their preparedness for any such change some time in advance. It's not "five days" if you had a year's warning. > - A customer has a registered domain name that has characters that > current internationalized domain name RFCs do not allow (for example > xn--df-oiy.ws/✪ df.ws). A CA issues because this is a registered > domain name according to the responsible TLD registry. Must this be > revoked within 5 days if the CA notices? Seems sane to me. Also seems like a foolhardy practice by the responsible TLD registry and/or its registrars. I would definitely suggest annoyed subscribers demand compensation from their registrar for letting them have a bogus name unless it turns out the registrar was talked into this despite warning what might happen. > - A customer has a certificate with a single domain name in the SAN > which is an internationalized domain name. The commonName attribute > in the subject contains the IDN. However the CN attribute uses > U-labels while the SAN uses A-labels. Whether this is allowed has > been the subject of debate at the CA/Browser Forum as neither BRs nor > RFCs make this clear. Do any certificates using U-labels in the CN > need to be revoked? Maybe. In Python they've killed off one of the stupidest places that thought U-labels in the Common Name were a good idea in client code. There's a long thread, in which basically I just beat people over the head with the same fact while they splutter about tricky language and library problems and eventually they go "Oh, right, we should just stop worrying about any of this and just match A-labels in SANs like Nick says". Ding. Took a few months. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
