Thank you, Maria, for sharing your opinion. I'd love to hear from others as well....
Adriano Il 09/01/2024 17:54, Maria Merkel ha scritto:
NOTICE: Pay attention - external email - Sender is ma...@maria.cc Hello Adriano,I'm not sure whether I have posting permissions for this list, but I will try anyway.I do believe this is a wider issue than just one for S/MIME. I had recently noticed that a CA had issued a TLS server certificate to a company that no longer exists (as the company had merged into a new company, and the legal entity in the certificate has been dissolved as a result). I had reported this to the CA, who have decided not to revoke the certificate (and have, in fact, issued at least one further certificate to the company), despite me having shared government-provided evidence of the company having been dissolved, because they were able to verify the name via a "reliable source" (presumably D&B or Google).I have looked into this further at the time and it seems like this is currently perfectly compliant with the BR, but surely adding a rule prohibiting CAs from including information they know to be incorrect, even if it is "verifiable", would make sense?Regarding companies in liquidation, I am not sure these should be prohibited from obtaining certificates. Companies in liquidation may continue to operate for a significant amount of time under management of their liquidator, and it doesn't seem unlikely that for some companies it may be required (or at least desired) to obtain certificates during that time.Maria MerkelOn Tue, Jan 9, 2024 at 5:44 PM Adriano Santoni via Smcwg-public <smcwg-public@cabforum.org> wrote:Hello all, Authentication of organization identity involves the collection of some attributes and their validation. To collect these attributes, a CA typically queries a reliable third-party source, e.g. the business register of the relevant country. Among the attributes that can be found in these sources there is normally also the /operational status/ of the company, such as e.g. ACTIVE or CEASED. To me, it seems logical that a certificate should not be issued to a ceased company, but this is not specified in the SMBR. I believe we should specify it. In the current SMBR, the entity status is required to be ACTIVE only in the particular case of inserting an LEI reference in the certificate (which is not mandatory), but not in the more general case. Perhaps an oversight? A company that has gone out of business (e.g. in liquidation) may still "exist" in a certain way for some time (you can still check any other data regarding it, in the company registry), but it is still a defunct company to which in my opinion, a certificate should not be issued. I can imagine that someone will have a different opinion and say that there is no problem in issuing a certificate to a company in liquidation. But then, I see no reason why we require the entity status to be ACTIVE "If an LEI data reference is used". I therefore propose to include a clarification in the SMBRs (possibly in section 3.2.3.1) that the operational status of the company is one of the attributes to be collected, and that it must be ACTIVE (or the equivalent according to the terminology of the relevant country), regardless of whether a LEI reference is used or not in the certificate. Adriano PS: In my opinion, this also affects the BRs and the CSBRs. _______________________________________________ Smcwg-public mailing list Smcwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/smcwg-public
smime.p7s
Description: Firma crittografica S/MIME
_______________________________________________ Smcwg-public mailing list Smcwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/smcwg-public
