On Sun, 26 Jan 2020 11:16:24 +0100 Hanno Böck via dev-security-policy <[email protected]> wrote:
> I guess this is the most relevant part here. Noone has noticed. > > I see that a lot of people are having fun pointing out these issues > again and again to show how sloppy CAs work. Which is fine I guess, > but it leads to the question what the point of all this is. Unlike minor typographical errors which I don't think have a larger significance, this type of mistake might realistically have grave impact depending on how it happens, for which we will need Sectigo's honest response to the incident. For example suppose Sectigo has a bug in which under some circumstances Customer A is treated as though they were Customer B instead, and of course certificates like these are one possible result of the bug that we can see in the CT logs. But other symptoms of that same bug might include Customer B has proved to Sectigo that they control example.com, so Customer B can order new certificates for example.com, but with the bug now Customer A can get such certificates too which they are not entitled to. > Maybe it's time to change the WebPKI rules to reflect that - either say > "any information in a certificate that is not the CN/SAN is yolo and > can be whatever and web clients should make sure they never display > that informaiton" or "any useless extra information should be > skipped". I definitely can't support the former. The purpose of X.509 certificates is to bind a public key to an identity. If we decide that something isn't part of the identity then it shouldn't be included. I think the latter isn't a good idea, beyond the extent to which it's already present in the BRs but I don't feel strongly about it. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
