136
edits
Changes
→Issue G: Use of BR Domain Validation Method 3.2.2.4.5 After Deadline: Updated with Certinomis response
On 31-January, 2019, it was [https://bugzilla.mozilla.org/show_bug.cgi?id=1524451 reported that Certinomis issued two certificates in July of 2018 containing invalid CRL references in the CDP extension]. One is https:// and the other is not a URI. One of these certificates was revoked on 22-February, 2019, and the other has not been revoked as of 9-April.
=== <s>Issue G: Use of BR Domain Validation Method 3.2.2.4.5 After Deadline </s> ===
The BRs set a deadline of 1-August, 2018 for CAs to stop using this method due to serious [https://cabforum.org/pipermail/public/2017-December/012630.html vulnerabilities that were identified]. This concern was communicated in Mozilla's [[CA/Communications#January_2018_CA_Communication|January 2018 and September 2018 CA Communications]]. In a [https://bugzilla.mozilla.org/show_bug.cgi?id=1544933 bug that was recently filed describing the issuance of a certificate containing an unregistered domain name], Certinomis implied that BR method 3.2.2.4.5 was used to validate that certificate. Upon further questioning, [https://bugzilla.mozilla.org/show_bug.cgi?id=1544933#c9 Certinomis stated that BR method 3.2.2.4.5 was still in use].
[CERTINOMIS RESPONSE] [https://bugzilla.mozilla.org/show_bug.cgi?id=1544933#c12 Certinomis confirmed] that the following [https://bugzilla.mozilla.org/show_bug.cgi?id=1544933#c11 comment form a former employee], is correct:
''I think there is a misunderstanding; the validation process described by François is only applicable to French RGS server certificates with "clientAuth" key usage (so not under BR rules).''
''For PTC (i.e. with "serverAuth" key usage) on 1st August 2018 the only validation methods that shall be applied by RA operators are the well-known phone call process and the email validation to the addresses defined in the BR (webmaster@ admin@...).''
''Theses two validation methods were manual ones so subject to human errors.''
''Before I left there was some developpement to allow the applicant to validate the domains before filling any application forms.''
''This new automated validation feature were to be available by the end of 2018.''
''I understand that this new feature has been developped and not yet used in production, and that a human validation error has been made by an RA operator confused by the fact that the organisation was "COMMUNE LE CANNET" and by the fact that the applicant made also an error in the CSR containing a '-' instead of a '.' to separate the domain name in the FQDN (mediatheque-lecannet.fr instead of mediatheque.lecannet.fr).''
