WebPKI, Certificate 'Resellers' versus Enterprise RA versus RA/Delegated Third Party

Skip to first unread message

James R Moir

Jul 13, 2022, 4:04:54 PMJul 13
to dev-secur...@mozilla.org
I am researching WebPKI, looking at the practical offers of Certificate Authorities and parties who offer certificates.

I wish to ask some queries about Baseline Requirement definitions and how that work with entities selling certificates today.

A 'Certificate Reseller' is not defined in Baseline Requirements that I see, but many CA offer certificates via these entities and even multiple levels of them.
I have discovered reselling certificate from some CA is different to other CAs.

This is in comparison to 'full' Registration Authority (RA) and 'Enterprise RA'.

If I am a Enterprise RA, I can issue certificates for my organization and domain names I authenticate.
Once I complete vetting of a domain and an organization, I can issue certificate for those immediately with no check or delay (save for CAA).
The CA can know and identify me as Enterprise RA issuing certificate for my organization. I only issue for my organization.

If I am a Delegated Third Party, I can also issue certificate from the CA, but they do not have to be for my own organization or domain.
I must be audited.

How do reseller of certificates fit in?

For some CAs I can become a reseller. I have no audit or specialty in certificates. Simply sign up, perhaps make some monetary deposit.
I can make a certificate request for Company A and domaina.com. They are vetted by the CA.
I can make a certificate request for Company B and domainb.com. They are vetted by the CA.
Now I can make any request for Company A or Company B and domaina.com or domainb.com - no more checks are done by the CA (within reuse times - usually 1 year).
I am effectively a 'super administrator' Enterprise RA over multiple Enterprise RAs.

If I order from a reseller, how does the CA know I made the request? After initial vetting, reseller is effectively RA or Delegated Third Party as no checks are made with me that a request from a reseller was made by me.

Real-world type example:
I am Certificate Reseller. No audit, I sell consulting and non-certificate services.
I have connections and have Coca-Cola order an organization-validated (OV) from my webshop for coke.com.
My CA fully and correctly vets the details and domain authorization is completed for coke.com.

I am lucky to do the same for PepsiCo and they order an OV for pepsi.com. Again, the CA verifies everything correctly.

Now - I have the ability to order new certificates for those organization and domain. The CA does no more checks.
I can take a CSR from PepsiCo employee and issue a cert for coke.com to them, and vice-versa.

(No domain has been delegated to my control, vetting of domain for example was done once by email)

The CA does not check details again, or notify or ask for approval from either organization. These organizations only know from checking Certificate Transparency after issue.
I am not Enterprise RA (I am not Coca-Cola or PepsiCo), or RA or Delegated Party (no audit). Maybe there are some agreement like 'click-thru'.

Is there a part of the Baseline Requirement this is covered, or is it an unconsidered scenario? Does legal agreement cover?
Should reseller allowed to issue without additional check?

Gratefully accept any inputs or thoughts.

Reply all
Reply to author
0 new messages