I found out that often the OV or EV validation of CA's is lacking and concerning the baseline requirements data submitted for a TLS certificate should be valid and thus validated. So when a country is Amsterdam, that should fail or a city Utrecht is placed in the province Zuid-Holland, that should fail to. And in my believe these checks are not difficult, just implement the Google Maps API and you would probably fix 60% of the bad certificate data. But The thing I do not understand is when validating a company, which will use the certificate for whatever website request a TLS certificate. Mostly the company registration office (for example KVK in the Netherlands) will supply the CA with correct data. If the data submitted by the certificate requester is incorrect, the certificate should never be issued. Period.
Here is a public link of a screenshot from the data found in the certificate: https://dl.dropboxusercontent.com/u/2676712/digicert.png Lately I discover those issues with several DigiCert certificates, but they are not the only CA making those mistakes. And to be honest those mistake really downgrade the OV and or EV value of the certificates to nothing more than a domain validated, encryption only TLS connection. As part of this bad validation and in my opinion failing to comply to the baseline requirements. Which could initiative encourage phishing and the de-trust in TLS in general. Kind Regards, Mike _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy