GoDaddy: DV certificates with organizationalUnit field in subject
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: ryan.sleevi, Assigned: jfox)
Details
(Whiteboard: [ca-compliance] [dv-misissuance])
GoDaddy has issued a number of certificates asserting the DV policy OID (2.23.140.1.2.1), but which contain an organizationalUnit within the Subject field.
The Baseline Requirements 7.1.4.2.2(i) places restrictions on when the organizationalUnit field can appear within a certificate.
For example, https://crt.sh/?q=aed2d43c2a0d8e1291ef2124062970c408cfe47e14ac62ac868d1197856682d6 and https://crt.sh/?q=28295c7ee49eae3bd51b3e6e51cb24178493190740d1356c663d743078f34357 contain an OU "Domain Control Validated"
Previously, this had been discussed in Bug 1593776 and within the CA/Browser Forum.
Please provide an Incident Response for this issue.
Section 7.1.4.2.2 provides
The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, subject:givenName, subject:surname, subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1.
GoDaddy does not list any name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity in the OU field for any of its DV certificates. This is clear in the examples to which you linked in Bug 1662810. In each case, GoDaddy lists "Domain Control Validated" in the OU field. "Domain Control Validated" does not refer to a specific natural person or Legal Entity. As this phrase is contained in all GoDaddy issued DV certificates, GoDaddy remains compliant with the Baseline Requirements.
Nevertheless, we remain cognizant of the debate in the SSL community related to this section and will continue to align with any amendments to the Baseline Requirements.
|
Reporter | |
Comment 2•5 years ago
|
||
As you know, the discussion specifically is that “the CA SHALL (implement a process ...) and (the Certificate also contains ...)”. Your interpretation places the conjunction in the wrong place.
However, in the course of trying to understand your validation processes for OU (e.g. how you ensure that string is not misleading), I had trouble finding it in your CP/CPS, as required by the BRs in 9.6.1 and stated in GoDaddy/Starfields own (recently updated) CP/CPS: https://certs.godaddy.com/repository/certificate_practices/en/StarfieldCertificatePolicyandCertificationPracticeStatement.pdf
Could you provide a link and reference to where you fulfill these requirements, as part of including an OU?
Section 3.2 of our CP/CPS, on page 9, states what we verify for each certificate type.
"For Basic and Medium Assurance Domain Validated SSL Server Certificate Subscribers, Starfield verifies the following:
• the individual requesting the certificate has access to the domain name(s) that are specified in the certificate application using the methods described in 3.2.2.4."
Section 10.4 of our CP/CPS, on page 64, shows the output of the OU field, OU = “Domain Control Verified”
"Subject (Medium Assurance Certificates CN = domain name of Subscriber’s web site OU = “Domain Control Verified” or similar text indicating the assurance level of the certificate."
|
||
Comment 4•5 years ago
|
||
If there are no other questions or comments, I'll schedule this bug to be closed on 12-October-2020.
|
|
||
Updated•5 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
Description
•