Dear Rufus, I have several reasons why I think "white label" CAs (as seen in [0]) don't fit the BR:
1.) Misleading I think that "white label" CAs are at the very least misleading if the "white labeled CA" 's certificate contains no clear indication that this CA is not operated by the subject of the certificate. The certificate chain would imply (without _clear_ indication of the contrary) that the root CA found "WL company" to be trustworthy enough to operate an intermediate CA; and that this "WL company" then issued the leaf certificate. Because this implication is not true; the use of a "white label" CA certificate is misleading; and such CA would need to be revoked according to BR s4.9.1.2 (6). 2.) Incorrect subject information due to incorrect determination of Applicant. In BR section 1.6.1 for the definition of Applicant: "[...] For Certificates issued to devices, the Applicant is the entity that controls or operates the device named in the Certificate, even if the device is sending the actual certificate request". Although CA keys being signed is not an obvious fit for this description, I think this is similar enough to apply to CA certificates as well: CA keys are supposed to be inside (secured) devices after all. In the case of white-label CA certificates the Applicant is thus the CA providing the white-label services. Subject validation should therefore result in subject information of the operator, not the contracting party in need of white-label CA services. Any other information would be incorrect validation of subject information; thus requiring revocation as per BR s4.9.1.2 (5). 3.) Invalid values in certificate fields due to WhiteLabeled Corp not being a CA. BR section 7.1.4.3 is clear about what information may be put in the subject:organizationName and subject:countryName fields of CA certificates. In an example, "WhiteLabeled Corp" consumes white-label CA services from RootCA (where all but the name on the certificate is managed by and operated by RootCA). WhiteLabeled Corp is not a CA for the BR in this case: it does not provide any of the required services (CP/CPS, OCSP, CRL, etc.) nor is it bound by the required contracts (subscriber / relying party agreement). WhiteLabeled Corp can thus not be considered the CA for validation of s7.1.4.3 field forms, and its details can thus not appear in the subject:organizationName and subject:countryName fields of the white-label CA certificates. Kind regards, Matthias [0] https://crt.sh/?id=2392142934 On Thu, Mar 24, 2022 at 4:05 PM Buschart, Rufus <[email protected]> wrote: > Dear Matthias! > > > > I believe it’s industry best practice for CA operators to operate ‘white > labeled’ CAs on behalf of their customers. The operator of the CA is being > identified in the Certificate Policy field and the owner of the CA is > stated in the Subject field. Where do you see a problem with this? > > With best regards, > Rufus Buschart > > IT IPS SIP ET > Freyeslebenstr. 1 > 91058 Erlangen, Germany > Mobile: +49 (1522) 2894134 > mailto:[email protected] <[email protected]> > > Important notice: This e-mail and any attachment thereof contain corporate > proprietary information. If you have received it by mistake, please notify > us immediately by reply e-mail and delete this e-mail and its attachments > from your system. Thank you. > Siemens Corporation: Chairman of the Supervisory Board: Jim Hagemann > Snabe; Managing Board: Roland Busch, Chairman, President and Chief > Executive Officer; Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf > P. Thomas, Judith Wiese; > Registered offices: Berlin and Munich, Germany; Commercial registries: > Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE > 23691322 > > > > > > *From:* [email protected] <[email protected]> *On > Behalf Of *Matthias van de Meent > > Additionally, while not important for this inclusion request, it would be > appreciated if DigiCert could provide their insights on the questions I > raised in [0] on the subject of their practices; specifically the second > question (reworded for brevity): Should a CA certificate be allowed to > contain the subject of another company's name while this subordinate CA is > (and will be) under full control of the CA, considering that leaf > certificates signed with such CA will provide the (false) notion that the > other company signed those leaf certificates? > > Kind regards, > > Matthias van de Meent > > > > [0] > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/JLxGhM1pJ9w/m/21jQN3tSAwAJ > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fg%2Fdev-security-policy%2Fc%2FJLxGhM1pJ9w%2Fm%2F21jQN3tSAwAJ&data=04%7C01%7Crufus.buschart%40siemens.com%7C2b26d8f0af53423afaf808da0da5b356%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637837304062455964%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hoceX8QQmB1BvJnNWW1C50QXrI8tZTCsU00qi%2FN4pmw%3D&reserved=0> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAAT_OQtw4xYUAG1KMMqqzQHtUDRe-FxzQF%3DjQUQGVyOK0SjktA%40mail.gmail.com.
