Fraudulent certificates in the wild — again
Posted Jan 20, 2013 21:59 UTC (Sun) by giraffedata
In reply to: Fraudulent certificates in the wild — again
Parent article: Fraudulent certificates in the wild — again
Actually, you are allowed to get free and/or individual validation (at $60) certificates from startssl.com for use by an organization, but if you don't pay the extra $60 for organizational validation the certificate will only list the individual admin's name (who they considered their customer), not the organization's name, in the certificate metadata. That metadata is not particular important, however. For example, the lwn.net certificate belongs to "GeoTrust Inc." (the issuing vendor) according to its metadata...
I don't know what you're calling metadata, but what tells to whom a certificate belongs is its "subject" attribute. The subject attribute has various components, the two most important being "common name" ("CN") and "organization" ("O"). The lwn.net certificate belongs to common name "lwn.net" and unspecified organization. In contrast, the certificate offered by www.bankofamerica.com belongs to common name "www.bankofamerica.com" and organization "Bank of America Corporation."
In the lwn.net certificate, GeoTrust is the "issuer" attribute.
I couldn't tell from the startssl.com certificate just what its $60 product is, but as the description includes the phrase "organization validation," I presume that product has both the CN and O field filled in,
whereas the free product has only CN (like lwn.net). I know it can't be that the $60 product's Issuer attribute indicates the Startssl customer. The Issuer attribute has to identify Startssl.
You seem to say that the free certificate includes the individual admin's name. I can't see how that can be, since Startssl has no credible way to know the admin's name. Email address, maybe.
to post comments)