On Fri, Nov 01, 2019 at 11:08:23AM +0100, Matthias van de Meent via 
dev-security-policy wrote:
> Hi,
> I recently noticed that a lot of leaf certificates [0] have
> organizationalUnitName specified without other organizational
> information such as organizationName. Many times this field is used
> for branding purposes, e.g. "issued through <someone's kpi manager>"
> or "SomeBrand SSL".
> BR v1.6.6 ยง has guidance on usage of the OU field: "The CA
> SHALL implement a process that prevents an OU attribute from including
> a name, DBA, tradename, trademark, address, location, or other text
> that refers to a specific natural person or Legal Entity unless the CA
> has verified this information in accordance with Section 3.2 and the
> Certificate also contains subject:organizationName, ,
> subject:givenName, subject:surname, subject:localityName, and
> subject:countryName attributes, also verified in accordance with
> Section"
> As the organizationName and other related attributes are not set in
> many of those certificates, even though e.g. "COMODO SSL Unified
> Communications" is a very strong reference to Sectigo's ssl branding &
> business, I believe the referenced certificate is not issued in line
> with the BR.
> Is the above interpretation of BR section correct?

That OU clearly doesn't have anything to do with the subject that
was validated, so I also consider that a misissue.


dev-security-policy mailing list

Reply via email to