[cabfpub] Misissuance of certificates

Dean Coclin Dean_Coclin at symantec.com
Tue Nov 17 15:15:14 UTC 2015


I think you're looking at the wrong part of the document. There are 2 sets of SSL certs involved in the process. One is issued by HMRC from their own private CA and does not need to conform to CABF BRs. (I believe this is the one you reference).

The others can be issued by a public CA and are of the form [taxID].{from,to}.domain.com

They don't have to be EV, but they can be issued as EV, in which case customers choose not to log to CT.

Dean

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Tuesday, November 17, 2015 8:42 AM
To: Dean Coclin; Sigbjørn Vik; public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

On 12/11/15 22:45, Dean Coclin wrote:
> Here is the example mentioned on the call today which Gerv wanted to 
> hear more about:
> 
> https://www.gov.uk/government/uploads/system/uploads/attachment_data/f
> ile/368362/set-installation.pdf

There's something a bit odd going on here. Page 6 of that document says that the following should be in the CSR:

Common name: <Organisation><SRN>LIVE<DDMMYY>

That doesn't look like a valid DNS name to me. If the CA concerned is doing EV validation, how are they proving that the customer owns a public DNS domain of the form:

FooCorp12345643543LIVE121115

? Is any CA on the list part of this program, and so can comment?

Is it also the case that they are using EV certificates for non-SSL purposes?

Gerv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151117/b43244f0/attachment-0001.p7s>


More information about the Public mailing list