[Smcwg-public] [External Sender] Re: Forbid issuance of certificates to ceased organizations

Adriano Santoni adriano.santoni at staff.aruba.it
Wed Jan 10 07:41:28 UTC 2024 

Thank you, Maria, for sharing your opinion.

I'd love to hear from others as well....

Adriano


Il 09/01/2024 17:54, Maria Merkel ha scritto:
> NOTICE: Pay attention - external email - Sender is maria at maria.cc
>
>
>
> Hello Adriano,
>
> I'm not sure whether I have posting permissions for this list, but I 
> will try anyway.
>
> I do believe this is a wider issue than just one for S/MIME. I had 
> recently noticed that a CA had issued a TLS server certificate to a 
> company that no longer exists (as the company had merged into a new 
> company, and the legal entity in the certificate has been dissolved as 
> a result). I had reported this to the CA, who have decided not to 
> revoke the certificate (and have, in fact, issued at least one 
> further certificate to the company), despite me having shared 
> government-provided evidence of the company having been dissolved, 
> because they were able to verify the name via a "reliable source" 
> (presumably D&B or Google).
>
> I have looked into this further at the time and it seems like this is 
> currently perfectly compliant with the BR, but surely adding a rule 
> prohibiting CAs from including information they know to be incorrect, 
> even if it is "verifiable", would make sense?
>
> Regarding companies in liquidation, I am not sure these should be 
> prohibited from obtaining certificates. Companies in liquidation may 
> continue to operate for a significant amount of time under management 
> of their liquidator, and it doesn't seem unlikely that for some 
> companies it may be required (or at least desired) to obtain 
> certificates during that time.
>
> Maria Merkel
>
> On Tue, Jan 9, 2024 at 5:44 PM Adriano Santoni via Smcwg-public 
> <smcwg-public at cabforum.org> wrote:
>
>     Hello all,
>
>     Authentication of organization identity involves the collection of
>     some attributes and their validation. To collect these attributes,
>     a CA typically queries a reliable third-party source, e.g. the
>     business register of the relevant country. Among the attributes
>     that can be found in these sources there is normally also the
>     /operational status/ of the company, such as e.g. ACTIVE or CEASED.
>
>     To me, it seems logical that a certificate should not be issued to
>     a ceased company, but this is not specified in the SMBR. I believe
>     we should specify it.
>
>     In the current SMBR, the entity status is required to be ACTIVE
>     only in the particular case of inserting an LEI reference in the
>     certificate (which is not mandatory), but not in the more general
>     case. Perhaps an oversight?
>
>     A company that has gone out of business (e.g. in liquidation) may
>     still "exist" in a certain way for some time (you can still check
>     any other data regarding it, in the company registry), but it is
>     still a defunct company to which in my opinion, a certificate
>     should not be issued. I can imagine that someone will have a
>     different opinion and say that there is no problem in issuing a
>     certificate to a company in liquidation. But then, I see no reason
>     why we require the entity status to be ACTIVE "If an LEI data
>     reference is used".
>
>     I therefore propose to include a clarification in the SMBRs
>     (possibly in section 3.2.3.1) that the operational status of the
>     company is one of the attributes to be collected, and that it must
>     be ACTIVE (or the equivalent according to the terminology of the
>     relevant country), regardless of whether a LEI reference is used
>     or not in the certificate.
>
>     Adriano
>
>     PS: In my opinion, this also affects the BRs and the CSBRs.
>
>
>     _______________________________________________
>     Smcwg-public mailing list
>     Smcwg-public at cabforum.org
>     https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240110/eb8b7516/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240110/eb8b7516/attachment-0001.p7s>

More information about the Smcwg-public mailing list