On Mon, Apr 23, 2018 at 1:11 PM, Henri Sivonen via dev-security-policy < [email protected]> wrote:
> First, it seems to me that the Baseline Requirements allow > transformations of the organization's name only if the CA documents > such transformations. I am unable to find such documentation in > DigiCert's CP and CPS documents. Am I missing something? > At present, these are not required to be in the public documentation. Merely, the requirement is that the CA "documents" - i.e. it is presently acceptable to only include this documentation in information provided to the auditors. > Second, while verifying that the applicant indeed represents a > specific real organization is a difficult problem, in the case where > the country that the certificate designates operates an > online-queryable database of registered businesses, associations, > etc., it should be entirely feasible to eliminate the failure mode > where the certificate's organization field is (absent documented > transformations permitted under the Baseline Requirements) not > canonically equivalent (in the Unicode sense) to the name of any > organization registered in the country that the certificates > designates. That (inferring from the certificate for > www.alandsbanken.fi) there isn't technical process that would by > necessity remove diacritical marks from the organization field and > that the certificate for www.saastopankki.fi has them removed is > strongly suggestive that DigiCert's process for validating > Finland-based organization does not include as a mandatory part either > the retrieval of the organization's name via an online API to the > business registry or a human CA representative copying and pasting the > organization's name from a browser view to the business registry. > The Baseline Requirements do not dictate the datasource used in various jurisdictions. Thus even when there is a canonical source through legislation, the BRs do not require its use. > I wonder: When a given country has an online-queryable business registry, why isn't it either > recommended or required to import names digitally from the business > registry into certificates? Such practice would eliminate the failure > mode of the certificate designating a name that doesn't match any > entry in the business registry for such country. (Obviously, if it was > _required_, the BRs would need to include a list of countries whose > business registry is considered online-queryable in the sense that the > requirement would apply, but unwillingness to maintain such a list > does not explain why it isn't even recommended.) > "Recommended" is pointless. Required is the only thing that makes sense, and the complexities and overhead involved precisely explain why it isn't required. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
