[cabfpub] Misissuance of certificates

Sigbjørn Vik sigbjorn at opera.com
Fri Jan 22 10:56:12 UTC 2016

I wrote and called HMRC, and while I am still waiting for a formal
reply, here is my current understanding.

The identifiers they require users to insert into certificates are
sensitive, unchangeable, and not to be shared.
They have no requirements on which roots the certificates chain to, only
which CAs the certificates are issued from. In fact, I was told that
they have no verification process for the root at all!

So CAs may currently use any root to issue these certificates, including
publicly trusted ones. But there is no reason to use roots in scope of
the BR. HMRC nor the customer is going to use these certificates for
website authentication. (Even if they were, they would still have the
option of installing the CA root manually, as the certificates were
never meant for public website authentication.)

So these certificates do not have to be issued from roots covered by the
BRs. If CAs want to do so, and are certain they will not make any
mistakes, they may still do so, but probably shouldn't. These
certificates are not meant for public website authentication, and ought
not to be issued from roots meant for that purpose.

I hope this resolves any pending doubt about this particular case.

On 21-Jan-16 14:08, Dean Coclin wrote:
> Yes, I confirmed that they do.
> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org] 
> Sent: Thursday, January 21, 2016 4:36 AM
> To: Dean Coclin <Dean_Coclin at symantec.com>; Sigbjørn Vik <sigbjorn at opera.com>; public at cabforum.org
> Subject: Re: [cabfpub] Misissuance of certificates
> On 21/01/16 03:24, Dean Coclin wrote:
>> The issue was that some certs have information as part of the CN which 
>> probably shouldn't be public -- in the HMRC cases, it's a tax-related 
>> ID number specific to a given company, which probably ought to be 
>> private between that company and the tax offices. But they need certs 
>> including that number to exchange information with the tax offices. 
>> (Arguably that's a poorly designed system but that's something to take 
>> up with HMRC -- the UK tax office)
> And we are sure that, despite being a way of companies communicating with one specific entity, the system nevertheless uses certificates chaining to publicly trusted roots?
> Gerv

Sigbjørn Vik
Opera Software

More information about the Public mailing list