Closed Bug 1717046 Opened 5 years ago Closed 5 years ago

Sectigo: potentially invalid organizational validation certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: nickcao, Assigned: bwilson)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.106 Safari/537.36

Steps to reproduce:

https://web.archive.org/web/20210617151825/https://crt.sh/?id=4655880761
https://web.archive.org/web/20210617151903/https://crt.sh/?id=4658946268
https://web.archive.org/web/20210617151856/https://crt.sh/?id=4658950264
These CT logs indicate that Sectigo has issued multiple organizational validation certificates torwards Alipay US Inc.. However there's no other OV certificates issued towards the organization according to:
https://web.archive.org/web/20210617152424/https://crt.sh/?q=Alipay+US+Inc.
Other than for the domains in the aforementioned certificates: baleines.live, ygmg.vip and zao.lu. And I believe that these domains are not in the control of Alipay US Inc., indicating Sectigo's failure in validating the identity of the subject.

Before assigning this to the CA, can you provide more details about why you believe?

Have you contacted the CA's problem reporting mechanism and received a response that you believe is unsatisfactory? If so, can you share that? If not, could you please do that first, since it's unclear that there's a CA incident here based on the information provided.

Flags: needinfo?(nickcao)

Sectigo SSL Abuse and Malware Team responded with:

All of the certificates mentioned were validated and issued in accordance with the baseline requirements and our policies.

I'll then contact Alipay US Inc. to further investigate the current situation.

Sounds good.

Judging by https://web.sos.ky.gov/ftsearch/ , Alipay US, Inc is a legitimate company in Frankfort, KY:

	Organization Number	0919351
 	Name	ALIPAY US, INC.
 	Profit or Non-Profit	P - Profit
 	Company Type	FCO - Foreign Corporation
 	Status	A - Active
 	Standing	G - Good
 	State	DE
 	File Date	4/13/2015
 	Authority Date	4/13/2015
 	Last Annual Report	6/10/2021
 	Principal Office	525 ALMANOR AVENUE
                                SUNNYVALE, CA 94085
 	Registered Agent	C T CORPORATION SYSTEM
                                306 W. MAIN STREET
                                SUITE 512
                                FRANKFORT, KY 40601

I believe this would be WontFix/Invalid for now, and if you get further details, we could always revisit reopening.

Flags: needinfo?(nickcao) → needinfo?(bwilson)
Status: UNCONFIRMED → RESOLVED
Type: defect → task
Closed: 5 years ago
Flags: needinfo?(bwilson)
Resolution: --- → INVALID
Whiteboard: [ca-compliance]
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.