On Wed, Aug 9, 2017 at 4:28 PM, Lee <
ler...@gmail.com> wrote:
> On 8/9/17, Eric Mill via dev-security-policy
> <
dev-secur...@lists.mozilla.org> wrote:
> > On Tue, Aug 8, 2017 at 5:53 PM, identrust--- via dev-security-policy <
> >
dev-secur...@lists.mozilla.org> wrote:
> >
> >> On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg
You're not doing anything wrong, that hostname is just not using that
certificate at this time, at least not to public users. But issuance is
what matters here.
Given the capitalization of the common name, and the
organizationalUnitName, the certificate was clearly issued to the same
company.
> And one of them is for what appears to be a state government revenue
> > service's VPN:
vpn.revenue.louisiana.gov
>
> I see that one - goto
https://vpn.revenue.louisiana.gov/
> check the cert and it says
> Issued To
> Common Name (CN)
Vpn.revenue.louisiana.gov
> Organization (O) U.S. Government
>
> > (So it's clear, "U.S. Government" only refers to the federal government,
> > not state/local/tribal governments.)
> >
> > I personally (and to be clear, this is in my individual capacity and I am
> > not representing my employer) think these are invalid organizationNames,
> > constitute misissuance, and that Identrust should be using the "U.S.
> > Government" only for hostnames providing services operated exclusively on
> > behalf of the federal government.
>
> playing devils' advocate: how do you know that
>
https://vpn.revenue.louisiana.gov/ wasn't set up in collaboration with
> the IRS or some other branch of the U.S. Government?
>
That wouldn't meet the definition that Identrust said in their email above,
which is that certificates are "issued to either U.S. Government agencies
and/or their sub-contractors in support of government programs\projects".
Maybe there's some very novel arrangement I'm not familiar with where the
State of Louisiana can act as a subcontractor to the federal government,
but in both of these cases, the burden is on Identrust to identify how it
could have been appropriate to put "U.S. Government" as the
organizationName for these certificates.
For the other 3 in the batch, there are more plausible reasons why the
hostname might exclusively be for U.S. Government purposes -
*
networx-billing-pricer.nhc.noblis.org - In support of the Noblis Networx
contract
*
sslacesvalid.identrust.com - In support of the overall ACES CA
*
smbf1.smbisao.com - Related to a Small and Medium Business (SMB)-oriented
Information Sharing and Analysis Organization Initiative (iSAO), related to
a DHS initiative:
https://www.icf.com/-/media/files/icf/white-pape
rs/2015/response_to_dhs_public_comment_information_sharing.ashx
Although it is also quite plausible that those certificates are also used
for non-USG-affiliated purposes.
Only Identrust can explain it for certain, but for at least the two I
called out, I think it is reasonable to presume their organizationName is
inaccurate until shown otherwise.
-- Eric
>
> Lee