DigiCert: TERENA: Insufficient validation of organizationalUnitName
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: michel, Assigned: jeremy.rowley)
Details
(Whiteboard: [ca-compliance])
Hello,
I discovered 2 certificates: https://crt.sh/?id=312556089 and https://crt.sh/?id=378080691 both expired and first one revoked a day after issuance that have Informatyzacja Uczelni,CN=portal-zsi.pwr.edu.pl and Informatyzacja Uczelni,CN=test-qss.pwr.edu.pl in organizationalUnitName respectively. I'm not sure if it's a case of miss issuance, but I thought that it's better to report it just in case it is.
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 1•5 years ago
|
||
As you note, both of these expired in early 2019. Much has happened since then. How do we know that they weren't already reported previously. I'm not sure that there is anything actionable about them at this point.
|
||
Comment 2•5 years ago
|
||
Even if this is a violation (I'm not sure it is), DigiCert has implemented constraints for this field in bug 1639032.
|
Assignee | |
Comment 3•5 years ago
|
||
I don't have anything to add to this bug that hasn't already been mentioned in other bugs or the comments above. They've been expired for almost two years, we've turned off OU in general with a couple of exception accounts, and we've implemented a lot of checking and redid the entire validation system in the bug george mentioned and https://bugzilla.mozilla.org/show_bug.cgi?id=1639032.
|
Reporter | |
Updated•5 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•1 year ago
|
Description
•