Closed Bug 1710206 Opened 7 months ago Closed 7 months ago

Asseco DS / Certum: Incorrect localityName

Categories

(NSS :: CA Certificate Compliance, task)

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: michel, Assigned: aleksandra.kurosz)

References

()

Details

(Whiteboard: [ca-compliance])

Hello,
I noticed that the certificate https://crt.sh/?id=1638144545 that has the localityName: Biała and stateOrProvinceName: mazowieckie. It seems wrong because there is no such locality in this voivodeship. These is a locality with a similar name: Stara Biała (TERC 1419132) and two localities with the same name, but in different voivodeships: Biała (TERC 1017012) in Łódzkie and Biała (TERC 1610013) in Opolskie. That can be checked on https://eteryt.stat.gov.pl/

Michel: We're still waiting for an incident report from Asseco DS / Certum on Bug 1709392. However, for now I've held off duplicating, because what you've highlighted is an EV certificate, while Bug 1709392 relates to an OV certificate.

Aleksandra: Please file a separate incident report for this issue, so that we can independently determine whether to duplicate. As part of this incident report, please identify the data source(s) you used to validate this EV certificate, which you're required to track and disclose, per Ballot SC30.

Assignee: bwilson → aleksandra.kurosz
Status: NEW → ASSIGNED
Flags: needinfo?(aleksandra.kurosz)
Summary: Certum: Incorrect localityName → Asseco DS / Certum: Incorrect localityName
Whiteboard: [ca-compliance]

Hmm. There is Biała (SIMC 0576036), so that looks OK.

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → INVALID

Can localityName be just a city/town/village or should it be the smallest unit of administrative subdivision? Units of administrative division are in TERC and cities/towns/villages are in SIMC.

Flags: needinfo?(ryan.sleevi)

Yes, locality can contain cities/towns/villages. The X.500 model was a bit fluid here, because it imagined a centralized global naming source with delegation (e.g. leaving it up to countries / states or provinces to manage naming - see early RFCs like RFC 1255), and that of course (thankfully) never came to pass.

With respect to the BRs, locality is left to the CA to demonstrate the relevant data source and verification and their determination. However, the notion of localityName being a subdivision like a city, county, or geographic region is within reason, see e.g. RFC 2256. The complexity here, as it always is with regional information, is geopolitical. While country and stateOrProvince have been seen as (explicitly) ISO 3166-1 and (implicitly) ISO 3166-2 , respectively, localityName is a bit more fluid.

Note that, in general, the recommended way to report concerns is directly to the CA, since they MUST provide a preliminary incident report within 24 hours, which does not necessary trigger by filing a Bugzilla bug. Of course, if you're not satisfied with the answer, or still have concerns, opening a Bug or posting on m.d.s.p. is totally appropriate.

Flags: needinfo?(ryan.sleevi)
Flags: needinfo?(aleksandra.kurosz)
You need to log in before you can comment on or make changes to this bug.