In this case, each of those domains has a unique IP address, so
the IPv4 address space shortage is not the issue. There was no
technical reason to issue such a certificate.
Issuing a cert which names an organization other than the one
which owns the web site seems incorrect. The whole point
of having OV and EV certs is to identify the party you're dealing
with, not some hosting service in the middle.
The CA/Browser Forum proposed standard says, at 11.2.1 Identity,
"If the Subject Identity Information is to include the name or address
of an organization, the CA SHALL verify the identity and address of the
organization and that the address is the Applicant’s address of
existence or operation." While a CA may try to interpret that as
allowing the issuance of certs in the name of a proxy CDN service,
I would suggest that Mozilla's auditors not accept that interpretation.
We don't want to allow the creation of a "proxy cert" industry,
similar to the mess associated with "private domain registration".
A cert like this allows a form of MITM attack. Any site with
that cert can impersonate any other site with that cert. That's
not good, especially when the organizations are totally unrelated
and spread across three continents.
I'm trying to find out how widespread a problem this is.
The Certificate Observatory database, which is publicly available
on Amazon's Elastic Cloud, has the necessary information. More
on this later.
John Nagle
SiteTruth