[cabfpub] Misissuance of certificates

Ryan Sleevi sleevi at google.com
Wed Nov 11 04:27:47 UTC 2015 

Reposting for Peter

On Tue, Nov 10, 2015 at 6:17 PM, Peter Bowen <pzbowen at gmail.com> wrote:

> On Mon, Nov 9, 2015 at 8:52 AM, Doug Beattie
> <doug.beattie at globalsign.com> wrote:
> > But, publicly trusted certificates are
> > also used within company firewalls on intranets.  In this case the
> customer
> > may have an expectation (right or wrong) that the certificate and the
> FQDNs
> > contained within it remain “private”.  Exposing all FQDNs within internal
> > networks could represent a security concern as it could give attckers
> > information about the network they would otherwise not have.  We’ve
> received
> > this input when scanning internal networks for SSL certificates:
> customers
> > get twitchy about providing that info to us, never mind making is public.
>
> I suspect customers are twitchy about providing this information to
> you because it shows they are violating their subscriber agreement and
> therefore you must revoke the certificate when the disclose such to
> you.
>
> This is clearly spelled out in the Baseline Requirements:
>
> Section 9.6.3 requires that all CA subscriber agreements require that
> the subscriber have "[a]n obligation and warranty to install the
> Certificate only on servers that are accessible at the
> subjectAltName(s) listed in the Certificate".  If the subscriber has
> installed it on a server that is internal, then it is clearly not
> accessible at the subjectAltName in the certificate.  Before someone
> suggests that the server being accessible internally at the SAN meets
> this requirement, it is important to realize that allowing this would
> effectively make this a pointless requirement.  I can set up private
> DNS server that allows me to make any name resolve to any address, so
> I could have a server accessible at www.globalsign.com internally that
> has nothing to do with GlobalSign.
>
> Given that the customer has violated their subscriber agreement,
> section 4.9.1.1 kicks in. "The CA SHALL revoke a Certificate within 24
> hours if one or more of the following occurs:" ... "The CA is made
> aware that a Subscriber has violated one or more of its material
> obligations under the Subscriber or Terms of Use Agreement".
>
> So by notifying you that they are using the certificate on an
> internally accessible web server, they are effectively asking you to
> revoke their certificate.  I can see how they would be twitchy about
> doing so.
>
> This also means that the discussion about private certificates is
> basically moot.  Given that customers can only use them on a public
> server, there should be little issue of a customer complaining about
> disclosure.  How many people requests certificates they have no intent
> to use?
>
> Thanks,
> Peter
>
> (I give permission for anyone to repost this to public at cabforum.org)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151110/0b8d9b91/attachment-0003.html>

More information about the Public mailing list