[cabfpub] Misissuance of certificates

Ryan Sleevi sleevi at google.com
Thu Jan 28 04:55:24 UTC 2016


On Jan 27, 2016 7:36 PM, "Dean Coclin" <Dean_Coclin at symantec.com> wrote:
>
> I think we still need to refine mis-issuance as defined below. It
currently
> presents a very onerous obligation that seems unwarranted in some cases.
Let
> me give an example:
>
> Suppose my hypothetical business, "Dean's Wine Shop", submits a CSR with
the
> name mistyped as "Dean's WineShop". The CA receives the CSR, doesn't catch
> the typo, and issues the certificate. Now I get it back, realize I made a
> typo and inform the CA. The CA fixes it and immediately reissues the
> certificate. Does this disclosure requirement suddenly kick in?  Did the
CA
> "mis-issue" the certificate?  I fail to see how the public is helped by
this
> information (unless we are turning this into some Consumer Reports rating
to
> show how many times CAs make typos).

Doesn't the CA have an obligation to verify that the information as it
appears within the subject has been validated? Wouldn't this have failed in
the case of such a typo?

The BRs spend a significant amount of time detailing the needs for names to
be meaningful and validated, and it would be of interest to the general
public and to root stores to know if there are patterns emerging - both
within a single CA, but also within the industry at large - that suggest
the current controls in the BRs are inadequate - or too onerous.

>
> Perhaps I'm missing something and I'm happy to be enlightened.
>
> Thanks
> Dean
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160127/ceec6045/attachment-0003.html>


More information about the Public mailing list