[Smcwg-public] [External Sender] Re: Forbid issuance of certificates to ceased organizations

Wendy Brown - QT3LB-C wendy.brown at gsa.gov
Wed Jan 10 13:03:30 UTC 2024 

I am no lawyer and not speaking on behalf of any CA, so the following is
just my personal opinion, but I think the continued use of a corporate name
after acquisition by another company may possibly vary based on country.

I say that based solely on anecdotal information having worked for several
companies in the past that were acquired by other companies and yet
continued to use the former name for some time for DNS, emails and other
purposes in order to fulfill prior contractual obligations.
Another example might be a company that has an OID arc for protocol
extensions or certificate policies that may be asserted in certificates
that did not expire just because the company was acquired.  The new owner
retained the right to continue using those OiDs.

Thanks,

Wendy


Wendy Brown

Protiviti Government Services



On Wed, Jan 10, 2024 at 2:41 AM Adriano Santoni via Smcwg-public <
smcwg-public at cabforum.org> wrote:

> Thank you, Maria, for sharing your opinion.
>
> I'd love to hear from others as well....
>
> Adriano
>
>
> Il 09/01/2024 17:54, Maria Merkel ha scritto:
>
> NOTICE: Pay attention - external email - Sender is maria at maria.cc
>
> Hello Adriano,
>
> I'm not sure whether I have posting permissions for this list, but I will
> try anyway.
>
> I do believe this is a wider issue than just one for S/MIME. I had
> recently noticed that a CA had issued a TLS server certificate to a company
> that no longer exists (as the company had merged into a new company, and
> the legal entity in the certificate has been dissolved as a result). I had
> reported this to the CA, who have decided not to revoke the certificate
> (and have, in fact, issued at least one further certificate to the
> company), despite me having shared government-provided evidence of the
> company having been dissolved, because they were able to verify the name
> via a "reliable source" (presumably D&B or Google).
>
> I have looked into this further at the time and it seems like this is
> currently perfectly compliant with the BR, but surely adding a rule
> prohibiting CAs from including information they know to be incorrect, even
> if it is "verifiable", would make sense?
>
> Regarding companies in liquidation, I am not sure these should be
> prohibited from obtaining certificates. Companies in liquidation may
> continue to operate for a significant amount of time under management of
> their liquidator, and it doesn't seem unlikely that for some companies it
> may be required (or at least desired) to obtain certificates during that
> time.
>
> Maria Merkel
>
> On Tue, Jan 9, 2024 at 5:44 PM Adriano Santoni via Smcwg-public <
> smcwg-public at cabforum.org> wrote:
>
>> Hello all,
>> Authentication of organization identity involves the collection of some
>> attributes and their validation. To collect these attributes, a CA
>> typically queries a reliable third-party source, e.g. the business register
>> of the relevant country. Among the attributes that can be found in these
>> sources there is normally also the *operational status* of the company,
>> such as e.g. ACTIVE or CEASED.
>>
>> To me, it seems logical that a certificate should not be issued to a
>> ceased company, but this is not specified in the SMBR. I believe we should
>> specify it.
>>
>> In the current SMBR, the entity status is required to be ACTIVE only in
>> the particular case of inserting an LEI reference in the certificate (which
>> is not mandatory), but not in the more general case. Perhaps an oversight?
>>
>> A company that has gone out of business (e.g. in liquidation) may still
>> "exist" in a certain way for some time (you can still check any other data
>> regarding it, in the company registry), but it is still a defunct company
>> to which in my opinion, a certificate should not be issued. I can imagine
>> that someone will have a different opinion and say that there is no problem
>> in issuing a certificate to a company in liquidation. But then, I see no
>> reason why we require the entity status to be ACTIVE "If an LEI data
>> reference is used".
>>
>> I therefore propose to include a clarification in the SMBRs (possibly in
>> section 3.2.3.1) that the operational status of the company is one of the
>> attributes to be collected, and that it must be ACTIVE (or the equivalent
>> according to the terminology of the relevant country), regardless of
>> whether a LEI reference is used or not in the certificate.
>>
>> Adriano
>>
>> PS: In my opinion, this also affects the BRs and the CSBRs.
>>
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240110/0af222d4/attachment.html>

More information about the Smcwg-public mailing list