Closed Bug 1231138 Opened 9 years ago Closed 9 years ago

Add Mis-issued Lets Encrypt certs to OneCRL

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: kathleen.a.wilson, Unassigned)

Details

Let's Encrypt has provided an incident report stating that six certificates were improperly issued to domains restricted by CAA. https://groups.google.com/d/msg/mozilla.dev.security.policy/_HqrifRcSYs/73U_5FNUAQAJ The certs are: https://crt.sh/?id=11015552 https://crt.sh/?id=11129526 https://crt.sh/?id=11129525 https://crt.sh/?id=11145944 https://crt.sh/?id=11146361 https://crt.sh/?id=11147768 They are revoked. Validity Not After = Mar 3, 2016. We need to decide if they should be added to OneCRL.
None of these certificates are EV certificates. Let's Encrypt only issues DV certificates. I'm not very familiar with the history of decision-making for OneCRL inclusion, so I cannot provide much guidance on whether or not these certs should be included.
Three of the six certificates are offered for asulfrian.userpage.fu-berlin.de. It is not necessary to include these certificates into OneCRL as they are offered to a fully trusted person just testing proper CAA handling. The certificate owner was also the reporter to Let's Encrypt and filed the issue: https://github.com/letsencrypt/boulder/issues/1231 Heiko (Zone-C / hostmaster (at) fu-berlin.de)
Also, presumably LE checked the CAA records for the other 3 certs when they discovered the bug, but they don't know what the historic value of the CAA record was at the time of issuance. Therefore, one cannot say with 100% certainty that the other three were issued in violation of CAA. (Although it was only 9 days ago, so it was likely.) Also, it's not necessarily true that these certificates were issued to someone who did not have control of the necessary domain (i.e. were misissued). It would have been wise to check with the domain owners before revoking the certs, but never mind. It would still be wise to check with them before considering adding the certs to OneCRL. In terms of OneCRL criteria, I'm not sure that we would normally add even mis-issued DV certs for low-profile sites to OneCRL. Gerv
We aren't going to bother doing this. Gerv
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.