[Smcwg-public] FW: [External Sender] Re: Forbid issuance of certificates to ceased organizations

Wed Jan 17 19:25:36 UTC 2024

Am forwarding the message from a list subscriber who is not a member of the WG, but whose comments are relevant to our discussions today.

Regards, Stephen

From: Maria Merkel <maria at maria.cc>
Sent: Wednesday, January 10, 2024 9:38 AM
To: Wendy Brown - QT3LB-C <wendy.brown at gsa.gov>
Cc: Adriano Santoni <adriano.santoni at staff.aruba.it>; SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: Re: [Smcwg-public] [External Sender] Re: Forbid issuance of certificates to ceased organizations

Of course I am not claiming to understand every jurisdiction in the world, but I believe that in most of them there are two things to differentiate here:

1. Mergers in the corporate law sense and acquisitions (even if both are commonly called mergers)
In case of an acquisition, both companies continue to exist. In case of a merger, the business of one company is transferred to a new company, and the old company is dissolved. Only the new company (the merger target) exists after the merger is complete.

From a CA (and general outside) perspective, nothing has changed with an acquisition. The same company still exists, it only has a new owner. With mergers it becomes a bit more complicated:

2. Legal names, registered business names and unregistered business names

Companies usually have a single legal name under which they are registered. This is the name usually included in a certificate. A legal name is tied to the specific company and, in virtually all jurisdictions, cannot be used once the company is dissolved, even if this is due to a merger (unless, of course, a new company is registered under that name or the merger target company changes its name to the legal name of the old company).

Additionally, many companies have one or more separate business names under which they are known to the public. Depending on the jurisdiction, those may or may not be registered with the government, or whether to register them may be at the company's discretion. The S/MIME BR allow registered business names to be included in a certificate, but not unregistered ones. A business name (regardless of whether it is registered or not) can and usually will be taken over in a merger, at least temporarily.

General Thoughts

While this knowledge may be useful to understand the backgrounds, I don't think this matters too much from a CA perspective, and too much of it is jurisdiction-specific for it to be feasible to make specific rules for each situation (nor may this be desirable due to the complexity).

I think the reasonable thing to do would be what @Adriano Santoni<mailto:adriano.santoni at staff.aruba.it> originally suggested, specifically requiring that a company is "active" per its home jurisdiction (which is usually reflected on that jusrisdiction's website, and datasets like LEI data). This would be valuable because there doesn't seem a practical situation in which a company that no longer exists could do anything (including using a certificate), so at best such an entry would always be misleading. There is value in a person relying on a certificate being able to identify the specific legal entity on behalf of whom a message was sent, as this will be relevant in case of legal disputes. There may also be additional legal considerations, such as not being able to hold a dissolved company accountable for breaches of subscriber agreements, but this is more of a consideration for each CA rather than something that would likely matter to the public at large.

It may be worth noting that not all jurisdictions make the status (like "active") of a company publicly available, especially not free of charge. Therefore perhaps including the legal name of a company whose status is unknown should also be allowed, as long as the CA does not have a reason to believe that the status is not "active".

Maria Merkel

On Wed, Jan 10, 2024 at 2:03 PM Wendy Brown - QT3LB-C <wendy.brown at gsa.gov<mailto:wendy.brown at gsa.gov>> wrote:

   I am no lawyer and not speaking on behalf of any CA, so the following is just my personal opinion, but I think the continued use of a corporate name after acquisition by another company may possibly vary based on country.

   I say that based solely on anecdotal information having worked for several companies in the past that were acquired by other companies and yet continued to use the former name for some time for DNS, emails and other purposes in order to fulfill prior contractual obligations.

   Another example might be a company that has an OID arc for protocol extensions or certificate policies that may be asserted in certificates that did not expire just because the company was acquired.  The new owner retained the right to continue using those OiDs.

   Thanks,

   Wendy

   Wendy Brown

   Protiviti Government Services

   On Wed, Jan 10, 2024 at 2:41 AM Adriano Santoni via Smcwg-public <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>> wrote:

      Thank you, Maria, for sharing your opinion.

      I'd love to hear from others as well....

      Adriano

      Il 09/01/2024 17:54, Maria Merkel ha scritto:

NOTICE: Pay attention - external email - Sender is maria at maria.cc<mailto:maria at maria.cc>

         Hello Adriano,

         I'm not sure whether I have posting permissions for this list, but I will try anyway.

         I do believe this is a wider issue than just one for S/MIME. I had recently noticed that a CA had issued a TLS server certificate to a company that no longer exists (as the company had merged into a new company, and the legal entity in the certificate has been dissolved as a result). I had reported this to the CA, who have decided not to revoke the certificate (and have, in fact, issued at least one further certificate to the company), despite me having shared government-provided evidence of the company having been dissolved, because they were able to verify the name via a "reliable source" (presumably D&B or Google).

         I have looked into this further at the time and it seems like this is currently perfectly compliant with the BR, but surely adding a rule prohibiting CAs from including information they know to be incorrect, even if it is "verifiable", would make sense?

         Regarding companies in liquidation, I am not sure these should be prohibited from obtaining certificates. Companies in liquidation may continue to operate for a significant amount of time under management of their liquidator, and it doesn't seem unlikely that for some companies it may be required (or at least desired) to obtain certificates during that time.

         Maria Merkel

         On Tue, Jan 9, 2024 at 5:44 PM Adriano Santoni via Smcwg-public <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>> wrote:

            Hello all,

            Authentication of organization identity involves the collection of some attributes and their validation. To collect these attributes, a CA typically queries a reliable third-party source, e.g. the business register of the relevant country. Among the attributes that can be found in these sources there is normally also the operational status of the company, such as e.g. ACTIVE or CEASED.

            To me, it seems logical that a certificate should not be issued to a ceased company, but this is not specified in the SMBR. I believe we should specify it.

            In the current SMBR, the entity status is required to be ACTIVE only in the particular case of inserting an LEI reference in the certificate (which is not mandatory), but not in the more general case. Perhaps an oversight?

            A company that has gone out of business (e.g. in liquidation) may still "exist" in a certain way for some time (you can still check any other data regarding it, in the company registry), but it is still a defunct company to which in my opinion, a certificate should not be issued. I can imagine that someone will have a different opinion and say that there is no problem in issuing a certificate to a company in liquidation. But then, I see no reason why we require the entity status to be ACTIVE "If an LEI data reference is used".

            I therefore propose to include a clarification in the SMBRs (possibly in section 3.2.3.1) that the operational status of the company is one of the attributes to be collected, and that it must be ACTIVE (or the equivalent according to the terminology of the relevant country), regardless of whether a LEI reference is used or not in the certificate.

            Adriano

            PS: In my opinion, this also affects the BRs and the CSBRs.

            _______________________________________________
            Smcwg-public mailing list
            Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>
            https://lists.cabforum.org/mailman/listinfo/smcwg-public

      _______________________________________________
      Smcwg-public mailing list
      Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>
      https://lists.cabforum.org/mailman/listinfo/smcwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240117/d5020bf5/attachment-0001.html>