[Smcwg-public] [External Sender] Re: Forbid issuance of certificates to ceased organizations
Adriano Santoni
adriano.santoni at staff.aruba.it
Wed Jan 10 07:41:28 UTC 2024
Thank you, Maria, for sharing your opinion.
I'd love to hear from others as well....
Adriano
Il 09/01/2024 17:54, Maria Merkel ha scritto:
> NOTICE: Pay attention - external email - Sender is maria at maria.cc
>
>
>
> Hello Adriano,
>
> I'm not sure whether I have posting permissions for this list, but I
> will try anyway.
>
> I do believe this is a wider issue than just one for S/MIME. I had
> recently noticed that a CA had issued a TLS server certificate to a
> company that no longer exists (as the company had merged into a new
> company, and the legal entity in the certificate has been dissolved as
> a result). I had reported this to the CA, who have decided not to
> revoke the certificate (and have, in fact, issued at least one
> further certificate to the company), despite me having shared
> government-provided evidence of the company having been dissolved,
> because they were able to verify the name via a "reliable source"
> (presumably D&B or Google).
>
> I have looked into this further at the time and it seems like this is
> currently perfectly compliant with the BR, but surely adding a rule
> prohibiting CAs from including information they know to be incorrect,
> even if it is "verifiable", would make sense?
>
> Regarding companies in liquidation, I am not sure these should be
> prohibited from obtaining certificates. Companies in liquidation may
> continue to operate for a significant amount of time under management
> of their liquidator, and it doesn't seem unlikely that for some
> companies it may be required (or at least desired) to obtain
> certificates during that time.
>
> Maria Merkel
>
> On Tue, Jan 9, 2024 at 5:44 PM Adriano Santoni via Smcwg-public
> <smcwg-public at cabforum.org> wrote:
>
> Hello all,
>
> Authentication of organization identity involves the collection of
> some attributes and their validation. To collect these attributes,
> a CA typically queries a reliable third-party source, e.g. the
> business register of the relevant country. Among the attributes
> that can be found in these sources there is normally also the
> /operational status/ of the company, such as e.g. ACTIVE or CEASED.
>
> To me, it seems logical that a certificate should not be issued to
> a ceased company, but this is not specified in the SMBR. I believe
> we should specify it.
>
> In the current SMBR, the entity status is required to be ACTIVE
> only in the particular case of inserting an LEI reference in the
> certificate (which is not mandatory), but not in the more general
> case. Perhaps an oversight?
>
> A company that has gone out of business (e.g. in liquidation) may
> still "exist" in a certain way for some time (you can still check
> any other data regarding it, in the company registry), but it is
> still a defunct company to which in my opinion, a certificate
> should not be issued. I can imagine that someone will have a
> different opinion and say that there is no problem in issuing a
> certificate to a company in liquidation. But then, I see no reason
> why we require the entity status to be ACTIVE "If an LEI data
> reference is used".
>
> I therefore propose to include a clarification in the SMBRs
> (possibly in section 3.2.3.1) that the operational status of the
> company is one of the attributes to be collected, and that it must
> be ACTIVE (or the equivalent according to the terminology of the
> relevant country), regardless of whether a LEI reference is used
> or not in the certificate.
>
> Adriano
>
> PS: In my opinion, this also affects the BRs and the CSBRs.
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240110/eb8b7516/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240110/eb8b7516/attachment-0001.p7s>
More information about the Smcwg-public
mailing list