On Fri, Nov 1, 2019 at 5:14 AM Kurt Roeckx via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
>
> On Fri, Nov 01, 2019 at 11:08:23AM +0100, Matthias van de Meent via 
> dev-security-policy wrote:
> > Hi,
> >
> > I recently noticed that a lot of leaf certificates [0] have
> > organizationalUnitName specified without other organizational
> > information such as organizationName. Many times this field is used
> > for branding purposes, e.g. "issued through <someone's kpi manager>"
> > or "SomeBrand SSL".
> >
> > BR v1.6.6 § 7.1.4.2.2i has guidance on usage of the OU field: "The CA
> > SHALL implement a process that prevents an OU attribute from including
> > a name, DBA, tradename, trademark, address, location, or other text
> > that refers to a specific natural person or Legal Entity unless the CA
> > has verified this information in accordance with Section 3.2 and the
> > Certificate also contains subject:organizationName, ,
> > subject:givenName, subject:surname, subject:localityName, and
> > subject:countryName attributes, also verified in accordance with
> > Section 3.2.2.1."
> >
> > As the organizationName and other related attributes are not set in
> > many of those certificates, even though e.g. "COMODO SSL Unified
> > Communications" is a very strong reference to Sectigo's ssl branding &
> > business, I believe the referenced certificate is not issued in line
> > with the BR.
> >
> > Is the above interpretation of BR section 7.1.4.2.2i correct?
>
> That OU clearly doesn't have anything to do with the subject that
> was validated, so I also consider that a misissue.
>
>
> Kurt

A roughly-equivalent Censys.io query, excluding a couple other
unambiguous "domain validated" OU values: "not _exists_:
parsed.subject.organization and _exists_:
parsed.subject.organizational_unit and not
parsed.subject.organizational_unit: "Domain Control Validated" and not
parsed.subject.organizational_unit: "Domain Validated Only" and not
parsed.subject.organizational_unit: "Domain Validated" and
validation.nss.valid: true" returns 17k hits.

IMO the "Hosted by ____.Com" certs fail 7.1.4.2.2i - the URL of a web
host is definitely "text that refers to a specific ... Legal Entity".

> Certificate also contains subject:organizationName, , subject:givenName,
> subject:surname, subject:localityName, and subject:countryName
> attributes, also verified in accordance with Section 3.2.2.1.

I'm pretty sure this isn't what the BRs intended, but this appears to
forbid issuance with a meaningful subject:organizationalUnitName
unless all of the above attributes are populated. EVG §9.2.9 forbids
including those attributes in the first place. Am I reading this
wrong, or was this an oversight in the BRs?
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to