(Resend, after error "The message could not be delivered to the
following recipient:")
Here's a nice example of Mozilla not fully understanding Organization
information in certificates: "www.facebook.com".
Firefox says, for "https://www.facebook.com";,
"This web site does not supply ownership information".
But, in fact, not only does it supply ownership information
(the Subject contains O, L, ST, and C), DigiCert, which generated
the certificate, promises in their CPS that the info is valid. DigiCert
attached Policy OID 2.16.840.1.114412.1.1, promising
valid organization data.
Remember, there are three levels of certs now: DV, OV, and EV.
The CA/Browser Forum has established (finally) standard policy
OIDs for them, but these are still optional. They are
OID 2.23.140.1.2.1 - DV (domain validated only)
OID 2.23.140.1.2.2 - OV (organization validated)
OID 2.23.140.1.1 - EV (extended validation)
These standard Policy OIDs are relatively new, though, and not
widely used yet.
Originally, each CA had its very own EV Policy OID.
(There's a list in Wikipedia, painfully put together.)
Without much notice, the same thing was done for
OV certs. DigiCert's Certification Practice Statement
(https://www.digicert.com/docs/cps/DigiCert_CP_v406-May-14-2014.pdf)
lists the values DigiCert uses.
OID 2.16.840.1.114412.1.2 - DV (Domain‐Validated SSL)
OID 2.16.840.1.114412.1.1 - OV (Organizationally‐Validated SSL)
OID 2.16.840.1.11441 - EV (Extended Validation SSL Certificates)
These are in wide use; I'm finding lots of them in the certificate
dumps. (Does anyone have the full list? Is there any reason not
to make it public? The info is in the Certification Practice
Statements of each CA.)
Firefox understands the EV values for each CA, but not, apparently,
the OV values. That, I think, is a bug. One which affects
high-profile sites.
John Nagle
SiteTruth
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
