Closed Bug 1676003 Opened 5 years ago Closed 5 years ago

DigiCert: Entity not verified in organizationalUnitName

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: fozzie, Assigned: jeremy.rowley)

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

Two certificates have been issued with "OpenSSL" in the organizationalUnitName field:

This seems to violate BR 7.1.4.2.2 i):

The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, subject:givenName, subject:surname, subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1.

Hey Ben - I think this is a false positive. The information was verified in accordance with Section 3.2 as was permission for Verizon to use the term OpenSSL in this context. I know George's point is that the information in the OU must be owned by the entity named in the certificate, but I don't see that as a requirement in 3.2 - just that you verify the "Applicant’s right to use" the information (3.2.2.1, paragraph 1), which was done in this case.

My understanding of 7.1.4.2.2 i) is that the trademark is owned (or belongs to) the entity listed in the subject which is verified under 3.2.2.1. However, I will cc Ryan in here because he probably knows more about this than I do. It also mentions "a specific natrual person or Legal Entity", which the OpenSSL Software Foundation is.

If you could provide the evidence you used to verify Verizon's permission to use the OpenSSL trademark that'd be great as well though.

Assignee: bwilson → jeremy.rowley
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

My understanding of 7.1.4.2.2 i) is that the trademark is owned (or belongs to) the entity listed in the subject which is verified under 3.2.2.1. However, I will cc Ryan in here because he probably knows more about this than I do. It also mentions "a specific natrual person or Legal Entity", which the OpenSSL Software Foundation is.

That's not what the language says:
"The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, subject:givenName, subject:surname, subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1"

The language says:

  1. The CA has a process to prevent OUs if
    a. The OU is a name, trademark, address, location, or text
    b. That OU refers to a specific natural person or legal entity
  2. The CA may still include a trademark if:
    a) the information is verified in accordance with 3.2
    b) the certificate is an IV, OV, or EV cert

Relevant portion of trademark license:
"1. You can use OpenSSL trademarks to make true factual statements about OpenSSL or communicate compatibility with your product truthfully.
2. Your intended use qualifies as nominative fair use of the OpenSSL trademarks, i.e., merely identifying that you are talking about OpenSSL in a text, without suggesting sponsorship or endorsement.
3. You can use OpenSSL trademarks to describe or advertise your services or products relating to OpenSSL in a way that is not misleading."

You're right that it says it must be verified under 3.2, although there is no specific mention of trademarks in there. Also I would say this meets the "legal entity" criteria as in relation to the OpenSSL Software Foundation. Let's stick with the trademark for now though, when the certificate was issued, did DigiCert review the trademark licensing terms on the website or did DigiCert email OpenSSL? If the former, I am not a lawyer but I don't see how including "OpenSSL" in an OU meets any of those critera. Perhaps to remove ambiguity DigiCert should contact the trademark owner directly for these cases?

We are actively getting rid of OU from certificates in anticipation of the upcoming CAB Forum change that will prohibit them going forward, but for now I think we should stick with the actual requirement. We did note that verification of trademark is not defined, and I think this is one reason the section needs to be removed or clarified. I don't think it's relevant about whether we reviewed the terms or sent an email since neither is required under the actual language of 3.2 - what is expected is that verification happens with a reliable data source (assuming you count this as a tradename) or a government site. Verification of right to use is through "a reliable data source", which is vague enough either the website permission or an email would be sufficient.

Since the verification was done in accordance with section 3.2, I think this is a false positive and the bug should be closed as invalid.

Flags: needinfo?(bwilson)

Are there any objections to closing this bug based on the arguments made by DigiCert?

I'll close this on or about 27-November-2020.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.