[cabfpub] Misissuance of certificates

Sigbjørn Vik sigbjorn at opera.com
Thu Jan 28 09:07:52 UTC 2016


Hi Dean,

The EV guidelines are clear that the EV name field "MUST contain the
Subject’s full legal organization name as listed in the official
records". Failure to do so means failure to vet the certificate
properly, and is a violation of the guidelines.

In some cases a typo might make a huge difference, in other cases not.
Compare e.g. the brands "First Price" and "First Prize"[1]. The
guidelines are there to ensure all violations are reported, then the
public can check if the typo is important.

How else would you ensure that all typos are checked for importance, and
where would you draw the line for being "important enough" to report
publicly? Both the CA and the subscriber might have self-interest in not
reporting.

If this additionally turns into some kind of Consumer Reports rating to
show which CAs handle data with the most care, I would consider that a
good thing. That would give CAs an incentive to vet properly, and would
make the most serious CAs become the most popular.

[1] https://en.wikipedia.org/wiki/First_Price vs http://www.firstprize.co.za
Or "First Prince", "First Prick", "First Rice", "Fist Price", etc.
Even spaces as in your example may make a difference; "Therapist" vs
"The Rapist".


On 28-Jan-16 04:35, Dean Coclin wrote:
> I think we still need to refine mis-issuance as defined below. It currently
> presents a very onerous obligation that seems unwarranted in some cases. Let
> me give an example:
> 
> Suppose my hypothetical business, "Dean's Wine Shop", submits a CSR with the
> name mistyped as "Dean's WineShop". The CA receives the CSR, doesn't catch
> the typo, and issues the certificate. Now I get it back, realize I made a
> typo and inform the CA. The CA fixes it and immediately reissues the
> certificate. Does this disclosure requirement suddenly kick in?  Did the CA
> "mis-issue" the certificate?  I fail to see how the public is helped by this
> information (unless we are turning this into some Consumer Reports rating to
> show how many times CAs make typos). 
> 
> Perhaps I'm missing something and I'm happy to be enlightened.
> 
> Thanks
> Dean
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Sigbjørn Vik
> Sent: Wednesday, January 27, 2016 7:51 PM
> To: public at cabforum.org
> Subject: Re: [cabfpub] Misissuance of certificates
> 
> Hi all,
> 
> I think the discussion on this topic has been great, and the proposed ballot
> has had several improvements as a result. I think it is time we put it to a
> ballot. The text is as below, I am looking for two endorsers.
> 
> 
> 2.2.1 Notification of incorrect issuance
> 
> In the event that a CA issues a certificate in violation of these
> requirements, the CA SHALL publicly disclose a report within one week of
> becoming aware of the violation. A link to the report SHALL simultaneously
> be sent to incidents at cabforum.org.
> 
> Effective 01-Jul-16, the CA SHALL in its Certificate Policy and/or
> Certification Practice Statement announce where such reports will be found.
> The location SHALL be as accessible as the CP/CPS.
> 
> The report SHALL publicize details about what the error was, what caused the
> error, time of issuance and discovery, and public certificates for all
> issuer certificates in the trust chain.
> 
> The report SHALL publicize the full public certificate, with the following
> exception: For certificates issued prior to 01-Mar-16 the report MAY
> truncate Subject Distinguished Name fields and subjectAltName extension
> values to the registerable domain name.
> 
> The report SHALL be made available to the CAs Qualified Auditor for the next
> Audit Report.
> 
> 
> --
> Sigbjørn Vik
> Opera Software
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 


-- 
Sigbjørn Vik
Opera Software



More information about the Public mailing list