On 10/01/2019 19:00, Jeremy Rowley wrote: > A couple of thoughts: > 1) CertCenter is not a CA or RA. They have a custom named ICA that is hosted > and operated by DigiCert. All validation, issuance, and linting is performed > by DigiCert prior to issuance. > 2) Lots of cert customers have insecure websites. This indicates CAs should > scan websites for vulnerabilities. If that's the case, there will be lots of > revocations and that needs to be built into the Mozilla policy if required. > 3) The only way we know that CertCenter is a reseller is by > self-identification. They use the same issuance and validation system as all > other customers. If they didn't self-identify as a reseller, they could do > the same thing and look like an enterprise. > 4) I think they took their website down once the vulnerability was reported. > We've asked them to fix the site because it's high profile. However, if the > customer was something like Mozilla or Google, would we demand revocation of > their certificates? Granted, they wouldn't have the same vulnerabilities, but > I'm having a hard time differentiating from the CA perspective. > 5) Generating private keys for third parties is definitely NOT encouraged by > DigiCert. > > Anyway, I'm not sure what do here as it seems like the main difference > between this and any other insecure website is how they self-identify. >
There's also the CA observable fact that they use their SubCA to issue for other organizations. This presumably involves different contract terms from an Enterprise SubCA only licensed for internal use in that Enterprise. Admittedly, an Enterprise-licensed SubCA "owner" could cheat and issue DV certificates that carry the Enterprise name in the DN even though the domains are unrelated 3rd parties. That could be difficult to detect, but would presumably be a contract violation. Another case that would be hard for a CA to distinguish would be a hosting provider SubCA controlled by someone like Amazon or Google, as those would actually generate the keys (for use on their own servers to serve customer domains). Here contract terms would be the only clear distinction, short of an audit of issued certificates versus who hosts the IP addresses using those certs. Of cause I don't know if Digicert makes those distinctions in their SubCA contract terms, or if you made those distinctions when CertCenter signed up. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
