Sectigo recently announced that we will make a change to our issuance practices to remove “static” brand and hosting information from the OU fields of our Domain Validation (DV) certificates. These descriptors include the brand name of the certificate (e.g. “PositiveSSL”) and the name of the hosting provider (e.g. “Hosted by NAME”).
It has been the company’s practice to include information of this sort in OU fields going as far back as 2002, and other public CAs have included similar information in their certificates over the years. The public CA community has recently come to the consensus that this practice should not be permitted according to CA/Browser Forum Baseline Requirements (BRs).
The BRs are ambiguously written on this matter. Nonetheless, Sectigo will change its certificate issuance practices to align with this clarified interpretation. Our code update is scheduled to go into effect on December 15, 2019. Sectigo will not force the replacement of existing DV certificates containing this brand information. Sectigo believes the BRs should be updated so that their language accurately reflects this new consensus interpretation, and we plan to lead an effort to do so.
We are content to change our policy to promote alignment on certificate practices moving forward. There is no need, however, to replace existing certificates containing this brand information. Doing so would cause great hardship to certificate subscribers and relying parties alike, while offering no benefit whatsoever to security or online identity.