Closed Bug 1586604 Opened 2 years ago Closed 2 years ago

DigiCert: TERENA: No localityName in EV precert

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: michel, Assigned: jeremy.rowley)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

I found two unrevoked EV precertificates issued by TERENA that don't have a localityName in subject:
https://crt.sh/?id=1939176197&opt=cablint,ocsp
https://crt.sh/?id=1939178334&opt=cablint,ocsp

I couldn't find corresponding leaf certificates.

Assignee: wthayer → jeremy.rowley
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Summary: TERENA: No localityName in EV precert → DigiCert: TERENA: No localityName in EV precert
Whiteboard: [ca-compliance]

Locality is not a required field. Per Section 9.2.6 of the EV Guidelines, a state or locality is required, but not both. This is a false positive.

(Note that the EV Guidelines actually reference the BRs in the section. )

Certificate Field: subject:localityName (OID: 2.5.4.7)
Required if the subject:organizationName field, subject:givenName field, or subject:surname
field are present and the subject:stateOrProvinceName field is absent.
Optional if the subject:stateOrProvinceName field and the subject:organizationName field,
subject:givenName field, or subject:surname field are present.
Prohibited if the subject:organizationName field, subject:givenName, and subject:surname
field are absent.
Contents: If present, the subject:localityName field MUST contain the Subject’s locality
information as verified under Section 3.2.2.1. If the subject:countryName field specifies the
ISO 3166-1 user-assigned code of XX in accordance with Section 7.1.4.2.2(g), the
localityName field MAY contain the Subject’s locality and/or state or province information as
verified under Section 3.2.2.1.

The certificate includes the state, but not the locality, which is appropriate for this organization.

I agree with Jeremy that crt.sh's opt=cablint feature is showing a false positive here. A Pull Request was opened well over a year ago to fix this upstream (https://github.com/awslabs/certlint/issues/65), but unfortunately it's still waiting.

opt=x509lint also reports a false positive at the moment. As it happens, I opened https://github.com/kroeckx/x509lint/pull/32 a few days ago to fix this upstream. (BTW, on this PR I noted how unfortunate/misleading it is that EVG 9.2.6 still has a "(where applicable)" next to "State or province", even though "City or town" is now equally optional).

opt=zlint doesn't report a false positive. ZLint seems to be much more actively maintained than certlint/cablint or x509lint these days.

I'm sorry for this misreport. I saw that both tools reported an error, so I assumed that there is an issue and I didn't read the Guidelines again. I will try to be more careful in the future.

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID

No problem Michel! Thanks a ton for the input and flagging it.

You need to log in before you can comment on or make changes to this bug.