Sectigo: potentially invalid organizational validation certificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: nickcao, Assigned: bwilson)
Details
(Whiteboard: [ca-compliance])
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.106 Safari/537.36
Steps to reproduce:
https://web.archive.org/web/20210617151825/https://crt.sh/?id=4655880761
https://web.archive.org/web/20210617151903/https://crt.sh/?id=4658946268
https://web.archive.org/web/20210617151856/https://crt.sh/?id=4658950264
These CT logs indicate that Sectigo has issued multiple organizational validation certificates torwards Alipay US Inc.. However there's no other OV certificates issued towards the organization according to:
https://web.archive.org/web/20210617152424/https://crt.sh/?q=Alipay+US+Inc.
Other than for the domains in the aforementioned certificates: baleines.live, ygmg.vip and zao.lu. And I believe that these domains are not in the control of Alipay US Inc., indicating Sectigo's failure in validating the identity of the subject.
Comment 1•5 years ago
|
||
Before assigning this to the CA, can you provide more details about why you believe?
Have you contacted the CA's problem reporting mechanism and received a response that you believe is unsatisfactory? If so, can you share that? If not, could you please do that first, since it's unclear that there's a CA incident here based on the information provided.
Sectigo SSL Abuse and Malware Team responded with:
All of the certificates mentioned were validated and issued in accordance with the baseline requirements and our policies.
I'll then contact Alipay US Inc. to further investigate the current situation.
Comment 3•5 years ago
•
|
||
Sounds good.
Judging by https://web.sos.ky.gov/ftsearch/ , Alipay US, Inc is a legitimate company in Frankfort, KY:
Organization Number 0919351
Name ALIPAY US, INC.
Profit or Non-Profit P - Profit
Company Type FCO - Foreign Corporation
Status A - Active
Standing G - Good
State DE
File Date 4/13/2015
Authority Date 4/13/2015
Last Annual Report 6/10/2021
Principal Office 525 ALMANOR AVENUE
SUNNYVALE, CA 94085
Registered Agent C T CORPORATION SYSTEM
306 W. MAIN STREET
SUITE 512
FRANKFORT, KY 40601
I believe this would be WontFix/Invalid for now, and if you get further details, we could always revisit reopening.
| Assignee | ||
Updated•5 years ago
|
Updated•3 years ago
|
Description
•