View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000947||Main CAcert Website||certificate issuing||public||2011-05-31 21:19||2011-07-14 19:54|
|Platform||Test CAcert Website||OS||N/A||OS Version||Test|
|Summary||0000947: Renewing certificates is possible even if the name in the account has changed|
|Description||It looks like the old request is reused without checking if it is still matching the account's name. |
This may only happen in Arbitration cases when the name is changed but not every certificate is revoked. IMHO the system should nevertheless offer only those certificates for renewing which do still match.
|Steps To Reproduce||- Create new Account|
- Assure to 50 Assurance Points
- Create a Client certificate
- Login as Suport Engineer
- Modify Name of new account in Support Console
(maybe wait a day so modification of expiry date is more obvious)
- Login to new account
- Renew the certificate created above
==> New certificate with old name in Browser
|Tags||No tags attached.|
Name change requests have to go thru arbitration if user account has at least one assurance done.
Arbitrators have to take care about CPS (!)
to order user/support to revoke certs that has the name before change in it
and the name no longer is applicable to the name after change
eg name part removal as it was not verified => cert has to be revoked if removed name part is part of the cert
in test environment the "Arbitrator" instance is not available, so therefor name changes are not under "Arbitrators" authority, so therefor name change is possible in the simulation
potential name variations that could exist in certs name field (if not "WoT user"): see /pages/account/3.php l. 65 ff.
$fname $mname $lname
$fname $lname $suffix
$fname $mname $lname $suffix
Never mind Arbitration, the software itself also has to honour the CPS.
From CPS chapters 4.7 and 4.3.1 it may be concluded that certificate details are checked during the renewal process.