On Fri, Nov 01, 2019 at 11:08:23AM +0100, Matthias van de Meent via dev-security-policy wrote: > Hi, > > I recently noticed that a lot of leaf certificates [0] have > organizationalUnitName specified without other organizational > information such as organizationName. Many times this field is used > for branding purposes, e.g. "issued through <someone's kpi manager>" > or "SomeBrand SSL". > > BR v1.6.6 ยง 7.1.4.2.2i has guidance on usage of the OU field: "The CA > SHALL implement a process that prevents an OU attribute from including > a name, DBA, tradename, trademark, address, location, or other text > that refers to a specific natural person or Legal Entity unless the CA > has verified this information in accordance with Section 3.2 and the > Certificate also contains subject:organizationName, , > subject:givenName, subject:surname, subject:localityName, and > subject:countryName attributes, also verified in accordance with > Section 3.2.2.1." > > As the organizationName and other related attributes are not set in > many of those certificates, even though e.g. "COMODO SSL Unified > Communications" is a very strong reference to Sectigo's ssl branding & > business, I believe the referenced certificate is not issued in line > with the BR. > > Is the above interpretation of BR section 7.1.4.2.2i correct?
That OU clearly doesn't have anything to do with the subject that was validated, so I also consider that a misissue. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy