On Fri, Jun 14, 2019 at 4:12 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> In such a case, there are two obvious solutions: > > A. Trademark owner (prompted by applicant) provides CA with an official > permission letter stating that Applicant is explicitly licensed to > mark the EV certificate for a specific list of SANs and and Subject > DNs with their specific trademark (This requires the CA to do some > validation of that letter, similar to what is done for domain > letters). This process has been forbidden since August 2018, as it is fundamentally insecure, especially as practiced by a number of CAs. The Legal Opinion Letter (LOL) has also been discussed at length with respect to a number of problematic validations that have occurred, due to CAs failing to exercise due diligence or their obligations under the NetSec requirements to adequately secure and authenticate the parties involved in validating such letters. Letter needs to be reissued for end-of-period cert > renewals, but not for unchanged early reissue where the cause is not > applicant loss of rights to items. For example, the if the Heartbleed > incident had occurred mid-validity, the web server security teams > could get reissued certificates with uncompromised private keys > without repeating this time consuming validation step. EV certificates require explicit authorization by an authorized representative for each and every certificate issued. A key rotation event is one to be especially defensive about, as an attacker may be attempting to bypass the validation procedures to rotate to an attacker-supplied key. This was an intentional design by CAs, in an attempt to provide some value over DV and OV certificates by the presumed difficulty in substituting them. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy