[cabfpub] Misissuance of certificates

[Dean Coclin]

I received some additional information below on this specific issue:

The issue was that some certs have information as part of the CN which probably shouldn't be public -- in the HMRC cases, it's a tax-related ID number specific to a given company, which probably ought to be private between that company and the tax offices. But they need certs including that number to exchange information with the tax offices. (Arguably that's a poorly designed system but that's something to take up with HMRC -- the UK tax office)

At one time, there was a suggestion that it would be okay to redact the CN back to the domain itself rather than publishing the full CN in cases of misissuance. That would certainly solve the problem in this case.  If this was the resolution that you were thinking about Gerv and if it's still in play, then perhaps you are right and it is solved.

Dean

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Friday, January 15, 2016 10:10 AM
To: Dean Coclin <Dean_Coclin at symantec.com>; Sigbjørn Vik <sigbjorn at opera.com>; public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

On 14/01/16 21:59, Dean Coclin wrote:
> On last week's call, I brought up this issue which Gerv thought was 
> solved. However, I couldn't find any resolution to it and am just 
> posting it here to jar people's memories. Is it still an issue?

I'm happy to admit I was wrong if I was wrong; however, I confess I don't really understand what the issue actually is, so people who do will need to work on it and tell us all the conclusion :-)

Gerv


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160120/21178fe3/attachment-0001.p7s>