Closed Bug 1163279 Opened 10 years ago Closed 10 years ago

EV Guildlines and CPS violation of WoSign

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: i, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Steps to reproduce: 1. Open https://www.wosign.com/, you can see "诚信网站:WoSign 沃通电子认证服务有限公司" shown in address bar. 2. Open https://www.evssl.cn/, you can see "可信网站:WoSign 沃通电子认证服务有限公司" shown in address bar. Actual results: They add prefix "诚信网站:" or "可信网站:" to subject:organizationName filed of certificate they signed. "诚信网站" means that this website is honest and good integrity. "可信网站" means that this website can be trusted. This will mislead user and may violate EV Guideline: """ 9.2.1 Subject Organization Name Field Certificate field: subject:organizationName (OID 2.5.4.10 ) Required/Optional: Required Contents: This field MUST contain the Subject’s full legal organization name as listed in the official records of the Incorporating or Registration Agency in the Subject’s Jurisdiction of Incorporation or Registration or as otherwise verified by the CA as provided herein. A CA MAY abbreviate the organization prefixes or suffixes in the organization name, e.g., if the official record shows “Company Name Incorporated” the CA MAY include “Company Name, Inc.” When abbreviating a Subject’s full legal name as allowed by this subsection, the CA MUST use abbreviations that are not misleading in the Jurisdiction of Incorporation or Registration. EV Guidelines, v. 1.4.6 10 In addition, an assumed name or DBA name used by the Subject MAY be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with section 11.11.1 and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. """ And this also violate their own CPS: """ 3.1.1.3. Class 3 For Class 3 Certificate, the subject:organizationName filed may include information in this field that differs slightly from the verified name, the subscriber must provide some additional proof documents for this. """ I didn't see any additional proof documents required for these two prefixes. Expected results: Prefix "可信网站:" and "诚信网站:" should be removed from subject:organizationName filed.
Summary: WoSIgn → EV Guildlines and CPS violation of WoSign
I have already disabled WoSign's CA certificate on my Mac
Assignee: nobody → nobody
Component: Security: PSM → CA Certificates
Product: Core → NSS
Version: unspecified → trunk
Richard, Please look into this issue, and respond in this bug.
Very thanks for your comments. I think this is compliant with BR and EV Guide that it say "The CA may include information in this field that differs slightly from the verified name", and "provided that the CA documents the difference". We request subscriber provide additional proof documents that is enough for add the Prefix "诚信网站". We know someone may question this solution, this is why we add this sentence to our CPS "For Class 3 Certificate, the subject:organizationName filed may include information in this field that differs slightly from the verified name, the subscriber must provide some additional proof documents for this." But we really don't add the detail proof documents information to CPS that I think we should add it ASAP. Please let me know if anyone still have any questions, thanks.
(In reply to Richard Wang from comment #3) > Very thanks for your comments. > I think this is compliant with BR and EV Guide that it say "The CA may > include information in this field that differs slightly from the verified > name", and "provided that the CA documents the difference". We request > subscriber provide additional proof documents that is enough for add the > Prefix "诚信网站". Richard, Such language does NOT occur in the EV Guidelines, at least from what you've quoted. Please review the EV Guidelines 1.5.4 - https://cabforum.org/wp-content/uploads/EV-V1_5_4.pdf - section 9.2.1 This language is stronger than that of the Baseline Requirements, but their intent is the same. That is, "Inc" is a valid abbreviation for "Incorporated" (if and only if that abbreviation is well known and understood in the subject's jurisdiction of incorporation). Further, your quote from the Baseline Requirements takes it out of context. I've reproduced in full the BR 1.3.0 Section 7.1.4.2.2, subsection b If present, the subject:organizationName field MUST contain either the Subject’s name or DBA as verified under Section 3.2.2.2. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”. Because Subject name attributes for individuals (e.g. givenName (2.5.4.42) and surname (2.5.4.4)) are not broadly supported by application software, the CA MAY use the subject:organizationName field to convey a natural person Subject’s name or DBA. I don't think you can argue that "可信网站" or "诚信网站" differ slightly, that they aren't ambiguous, and that they are not misleading.
thanks for your comments, Ryan. If you think this is NOT OK, then we can stop to add this two word "可信网站" or "诚信网站", and we will update our website and related system ASAP.
And we have another situation that add the "党政机关"(means Government Entity) to the government EV SSL for ".gov.cn", like this website: https://mail.miit.gov.cn/ (O = 党政机关:工业和信息化部), I think this just add the "2.5.4.15 = Government Entity" to O field for end user easily identify the Government Entity since there are so many China Government website is spoofed. And "事业单位"(means Non-Commercial Entity), "学校"(means School)since so many those websites are spoofed in China. @ Ryan Sleevi, I think this 3 prefix is different situation, please advice if this is compliant or not, thanks.
UPDATE: we replaced the two site's certificate to standard EV SSL (https://www.wosign.com, https://www.evssl.cn/), and we updated the related product introduction pages. Thanks for your help.
Looks like WoSign has addressed the concerns. Shall we close this bug as resolved?
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.