[cabfpub] Misissuance of certificates

Gervase Markham gerv at mozilla.org
Tue Nov 17 13:42:06 UTC 2015


On 12/11/15 22:45, Dean Coclin wrote:
> Here is the example mentioned on the call today which Gerv wanted to
> hear more about:
> 
> https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/368362/set-installation.pdf

There's something a bit odd going on here. Page 6 of that document says
that the following should be in the CSR:

Common name: <Organisation><SRN>LIVE<DDMMYY>

That doesn't look like a valid DNS name to me. If the CA concerned is
doing EV validation, how are they proving that the customer owns a
public DNS domain of the form:

FooCorp12345643543LIVE121115

? Is any CA on the list part of this program, and so can comment?

Is it also the case that they are using EV certificates for non-SSL
purposes?

Gerv



More information about the Public mailing list