View Issue Details

IDProjectCategoryView StatusLast Update
0000947Main CAcert Websitecertificate issuingpublic2011-07-14 19:54
ReporterTed Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformTest CAcert WebsiteOSN/AOS VersionTest
Summary0000947: Renewing certificates is possible even if the name in the account has changed
DescriptionIt looks like the old request is reused without checking if it is still matching the account's name.
This may only happen in Arbitration cases when the name is changed but not every certificate is revoked. IMHO the system should nevertheless offer only those certificates for renewing which do still match.
Steps To Reproduce- Create new Account
- Assure to 50 Assurance Points
- Create a Client certificate
- Login as Suport Engineer
- Modify Name of new account in Support Console
(maybe wait a day so modification of expiry date is more obvious)
- Login to new account
- Renew the certificate created above
==> New certificate with old name in Browser
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

Uli60

2011-07-14 15:39

updater   ~0002136

Last edited: 2011-07-14 16:16

Name change requests have to go thru arbitration if user account has at least one assurance done.

Arbitrators have to take care about CPS (!)
to order user/support to revoke certs that has the name before change in it
and the name no longer is applicable to the name after change
eg name part removal as it was not verified => cert has to be revoked if removed name part is part of the cert

in test environment the "Arbitrator" instance is not available, so therefor name changes are not under "Arbitrators" authority, so therefor name change is possible in the simulation

potential name variations that could exist in certs name field (if not "WoT user"): see /pages/account/3.php l. 65 ff.
$fname $lname
$fname $mname $lname
$fname $lname $suffix
$fname $mname $lname $suffix

Ted

2011-07-14 19:54

administrator   ~0002137

Never mind Arbitration, the software itself also has to honour the CPS.

From CPS chapters 4.7 and 4.3.1 it may be concluded that certificate details are checked during the renewal process.

Issue History

Date Modified Username Field Change
2011-05-31 21:19 Ted New Issue
2011-07-14 15:39 Uli60 Note Added: 0002136
2011-07-14 16:16 Uli60 Note Edited: 0002136
2011-07-14 19:54 Ted Note Added: 0002137