I agree with the OV, EV, and IV. Admittedly, DV certs, which constitute almost all the certs, are relatively new to DigiCert so that's partly where the question arises. We identified it as the key holder or the domain holder. Hence, we'd revoke with confirmation of a domain validation. The reseller could be the subscriber, but I'm not sure how we tell with DV certs. This is especially with legacy Symantec customers where we are still trying to establish the personal relationship and understand their use cases, communication expectations, etc.
-----Original Message----- From: Peter Bowen <pzbo...@gmail.com> Sent: Wednesday, February 28, 2018 12:14 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: How do you handle mass revocation requests? On Wed, Feb 28, 2018 at 9:37 AM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > Once we were alerted, the team kicked > off a debate that I wanted to bring to the CAB Forum. Basically, our > position is that resellers do not constitute subscribers under the > Baseline Requirement's definitions (Section 1.6.1). As such, we needed > to confirm that either the key was compromised or that they revocation > was authorized by the domain holder (the subscriber) prior to revoking > the certificate. The certificates were not alleged as compromised at that > time. > This raises a question about the MDSP policy and CAB Forum > requirements. Who is the subscriber in the reseller relation? We > believe this to be the key holder. However, the language is unclear. I > think we followed the letter and spirit of the BRs here, but I'd like > feedback, perhaps leading to a ballot that clarifies the subscriber in a > reseller relationship. For certs with subject identity information (commonly called IV, OV, and EV certs), there is no question about the subscriber. The Subscriber is the entity identified in the subject: "The Subject is either the Subscriber or a device under the control and operation of the Subscriber." For certificates without subject identity information (DV certificates), the certificate does not list the subscriber. However the CA clearly knows the subscriber, as the subscriber is the "natural person or Legal Entity to whom a Certificate is issued and who is legally bound by a Subscriber Agreement or Terms of Use" In some cases the "reseller" might be the subscriber if the reseller is a hosting company and is the one that accepts the subscriber agreement but in the traditional reseller model their customer is the subscriber as the reseller's customer is the one accepting the subscriber agreement. Given that DigiCert appears to have contact information for the Trustico customers, that suggests that the Trustico customer is likely the subscriber, but looking at IV/OV/EV certificates (if any) should tell for sure. Thanks, Peter
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy