On Fri, Nov 1, 2019 at 5:14 AM Kurt Roeckx via dev-security-policy <[email protected]> wrote: > > On Fri, Nov 01, 2019 at 11:08:23AM +0100, Matthias van de Meent via > dev-security-policy wrote: > > Hi, > > > > I recently noticed that a lot of leaf certificates [0] have > > organizationalUnitName specified without other organizational > > information such as organizationName. Many times this field is used > > for branding purposes, e.g. "issued through <someone's kpi manager>" > > or "SomeBrand SSL". > > > > BR v1.6.6 § 7.1.4.2.2i has guidance on usage of the OU field: "The CA > > SHALL implement a process that prevents an OU attribute from including > > a name, DBA, tradename, trademark, address, location, or other text > > that refers to a specific natural person or Legal Entity unless the CA > > has verified this information in accordance with Section 3.2 and the > > Certificate also contains subject:organizationName, , > > subject:givenName, subject:surname, subject:localityName, and > > subject:countryName attributes, also verified in accordance with > > Section 3.2.2.1." > > > > As the organizationName and other related attributes are not set in > > many of those certificates, even though e.g. "COMODO SSL Unified > > Communications" is a very strong reference to Sectigo's ssl branding & > > business, I believe the referenced certificate is not issued in line > > with the BR. > > > > Is the above interpretation of BR section 7.1.4.2.2i correct? > > That OU clearly doesn't have anything to do with the subject that > was validated, so I also consider that a misissue. > > > Kurt
A roughly-equivalent Censys.io query, excluding a couple other unambiguous "domain validated" OU values: "not _exists_: parsed.subject.organization and _exists_: parsed.subject.organizational_unit and not parsed.subject.organizational_unit: "Domain Control Validated" and not parsed.subject.organizational_unit: "Domain Validated Only" and not parsed.subject.organizational_unit: "Domain Validated" and validation.nss.valid: true" returns 17k hits. IMO the "Hosted by ____.Com" certs fail 7.1.4.2.2i - the URL of a web host is definitely "text that refers to a specific ... Legal Entity". > Certificate also contains subject:organizationName, , subject:givenName, > subject:surname, subject:localityName, and subject:countryName > attributes, also verified in accordance with Section 3.2.2.1. I'm pretty sure this isn't what the BRs intended, but this appears to forbid issuance with a meaningful subject:organizationalUnitName unless all of the above attributes are populated. EVG §9.2.9 forbids including those attributes in the first place. Am I reading this wrong, or was this an oversight in the BRs? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
