Closed Bug 1304089 Opened 9 years ago Closed 9 years ago

Bug in GlobalSign Certificate Centre not populating EKUs in 68 SSL certificates

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: steve.roylance, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: BR Compliance)

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160623154057 Steps to reproduce: Dear Kathleen and Mozilla Community. cc CABFORUM Public list via Doug Following a recent code update to our GlobalSign Certificate Centre (GCC) platform, we have discovered a bug which manifests itself when orders are re-issued with modified domains within the Subject Alternative Name field of the certificate. The date of the original application also impacted the bug and therefore the bug does not affect all re-issues made. The bug fails to populate the Extended Key Usage correctly leaving these key usages out of the certificate (i.e. an empty EKU) which is against BR practice and why we are now revoking the affected certifiactes. We have verified that in total, 68 certificates were affected. 4 of these are EV with the remainder being Organizationally vetted (OV). The risk to the community and to our other customers is therefore low as we have exiting relationships with all customers and have vetted then to a higher level of confidence to issue the original certifiacte in the first place, although obviously the inconvenience on both sides is not welcome. Our development team has installed an emergency fix and the support teams continue to contact customers to perform revocations. AS our OV certificates are not yet included in the CT logs I've pasted a list of the affected serial numbers, SKIs and fingerprints below. The 4 EV certificates have already been revoked and appear on the EV CRL http://crl.globalsign.com/gsextendvalsha2g2.crl, however, as GlobalSign issues CRLs for the OV product every 24 hours not all certifiactes we added prior to the automated publication time of 12:00GMT today (20th September). 47 of the 64 OV certificates do appear on the revocation list (http://crl.globalsign.com/gsorganizationvalsha2g2.crl). These are the certifiactes from our APAC customers and some of our EU customers. Following the sun, the remaining certificates from EMEA and from our US customers will therefore appear in the next CRL published tomorrow at 12:00 GMT. Actual results: Type Serial Number fingerprint (SHA1 Hash) SKI (SHA1 basis) EV 4d079d428eb809fc0623ddab da5e837f0a3aa132533dc65caec3a93880d38a13 0c5deb167bc18e4210c60b3648e0ac13331d4b15 EV 32343ebda6bb7d29ad9d533f 49351b8ce9cbf4173ef8cb59021dd42f1197fac8 b18cb0c5f98027618281a973e48ef2b05a6bb121 EV 6fc40ffa5f12f39183b5110d 0b722fa15635930a207cf43c3d7d7218ed8f77c9 f4b655bdbc96f2f46fd4d792e1f5ce69ba79895d EV 607fa0dacadd12b13fe890fe 054ef2c66b31e5730d4e7432621c7158224faca9 1873bbe797bcb6d3c8a0079a6b438ca6d2ce00d9 Type Serial Number fingerprint (SHA1 Hash) SKI (SHA1 basis) OV 2c1524c605377282a3974026 fb10621a9b971ddb6d1bb6c981f87754ebc104ef 2ead37c4296637a678433bc0ac23d7b87a108608 OV 68e0870e02c41cd9f4c46129 36729e2dfddb9ebc47a686afc7e4c354d615393e 14229aecfddb653cb95a77d53e20e4b3c501ceb7 OV 1086a789620fcf2fb039e628 52205c8801dbf0a6b7d6ebc40b39fef345aac720 65ea594d4a7bbb1d479a5f95e62cbae21bded9c7 OV 53632036ac03ba2096ffd82f 7604f27059b35dc52427903ae647f2fa3b26e4dc 6f35e43f1f649141e0029d528002e32b4af85020 OV 1c280ecd6bd1962ddf77cda0 5caf8db68956a4396b7085b4750433308c29d7b2 d705488a6929e2ca27ea0c49e20c6363370dd601 OV 67b95c0759fd072b6b903e88 62ba92f8bbc2ddc97d30a585588a54f6ef876803 ae64b121cf20687277d0e7950968bd1dba9c84a9 OV 261ada33517e1c80ef245271 14b2cb175a8a4292767172539801a86c5440516a 4d6323d96f1cab88303ff86a5becb89d7cd1021f OV 62e3ae889959490a88dfecca f474703845512fd020280bfaa66eb722a6c80513 cf184433b394bfcee993f2e16e0deffcde338411 OV 3080edd5ed5359f8583da62c 0ee0610b5e685ec57785525db3a0831e8a1a4137 2981d9ac867fe22fdb7e695684fb5db8cf85e611 OV 5ec55e7866ea06cdc88ad6e9 26bdcfa00c65eec8ca2736e33322f2e5b3084947 7fc28c6b1e8f6ccd72ad443bc5e16eadfa715545 OV 7a4c40dd40dde84c904333a3 4358a8a6045c57e1fe15a8e969c8f7acd5e1e203 70c23165f9bfb98780a2897dcbaaccf52891e504 OV 5866b4cf0214dc2249c38e61 83e5c00b5a79cf64406a9aed6ef57ba6cb858532 c474f5990b68b91dd6b2f0b73b3a68ea79588a7b OV 2806dcafc421c477bf8dd956 bdaaf9dd7a919c747790c6a23a7fc93d0a8a5be1 3d9a238ced66a7f6a9859dc56719bc34077dfbd3 OV 5bfbd499eb1161ebfda79283 cea584d00d19530b1e4da03b1e2047f3fb37296f 7129fc5c556a4884e0c600c55a8cfe0f795685a7 OV 59797e6231cf81f64745e36a 2562ea2ed06f40d1522d109eae0ddc4b5cdeb3af bd24ce3fedf5b0c4bbd1a29734aa61bf94d2a662 OV 63cbf2fca36bbe0b66871d46 4e0a995c0f1d978b15cc0227c5a9dfa7805b28d1 debf3a1253ef5de52a4cf701ff2f999315ed63dd OV 4eadf4736c2b57e72a840393 ca85b217d0b51464f10c2c65e7dd1ee6786900ac 9a626edbd027f1ec5c2b1b608188f290f8bb1024 OV 2f5138045123be0b930fa278 57f28fe863b7d2b5af54092f6723d64397cf3877 baad635d603ef5e43a1de8b363adf9cd5a675f7e OV 3e13fe72a7cf44c21a5c07d9 cff67ca86f58e7628f69664c386cb01369a87c15 d96ec227ae71276d942c32e5f321c8e861a54897 OV 6352f1ae122aa7d538b2c28a 481ff746d168800279af3fdb6c70c4875ab2afb0 f265051c63764f79ed098029d237948e7e605031 OV 668a95303a2560e00ee16019 99816b5117c91a3b8baf971c115719653ffc25ed debf3a1253ef5de52a4cf701ff2f999315ed63dd OV 734ccfe93797326ae5304a21 e7370f2b1b8f36a38cdd48e64d33aa1cfaf244d2 451cbd98b86719b4a528816e3493e29789bc83f1 OV 46f78873592ce59c32206e40 4b34abd05e7708448724c1c59e5b2cdea6e47d0d 33b4beea864c03ed5c1926fc8ebf2b4d485134a1 OV 59db110675b18435c2bbd30c 66968094d5a14552c4ccdbc1c789ed38864ff6ca 46d0880bd1747500e9b3111cfbf9bdc0e80c2be5 OV 4250e6183828d2d86566877f 991a4fb0dee05fb45be1c67f54c38e22b39360a9 d9cd29e0dbe7dcbea0700ffcebcd488373184862 OV 3140c1ad475e5507111fcbfe b74d1cb566a390e7d49e89be143ee58b69fbe005 000bbe4e241878d723907e8087afa8b376469f79 OV 5ecad8a1558ac1809e7afd29 9b27f11d9355421ae9cfc9655b9e40de44a944c0 a58485280cfccf5f358f842c2e1f003bb1321073 OV 54ec6bdc300babc12bc3ece7 9a7c3f7cd08abe14655929136dc37eef25ded4bc c8942e09167a3f5272171bd30aaa4cf4d0490cc9 OV 3c35fdc1bb9a6c3ce847deae 0c742c3aeedb765c00eda7bdf1e915035466a12c 1d296c2e43df9c17f351edd5d4368699cf2ea12a OV 502522e9ceaea1c851de167c 18aa67962851e2c832c94cf6c1dcf96a542a7da6 6db3dd86c1a34b0a3ad709aeaafee2a00af2bbbd OV 6be28d7939b80348d72607dd 96d37e0639a94e39474833b65ee4848d08384341 eb74dc6f4aaa466a0c99e4639f35905c2b0beaab OV 7644362dcd336b0be31d7ab4 c4ae925976fb16cdb3c5d009577d807dcc681a93 a999ba8be427094d9603c2e117d502772853fc63 OV 275f01a04700c859562add82 780f4250585db93d639aee5f696b1f4e45c789be c9ac2750220cb5751b68d6e2f75b0aff8617c693 OV 27efb3cc0c836c56ebf0a826 9825653ff2a5d6366c81a20a1181ea91df6c3a3f e1a7e2078daf6e991ba45b243c29170d6a90bcf0 OV 722a3c55c28cb94af3ea943a fb31c558ff63924577a85105ba5462236eaf196a af08d8d10a10149d1bf7a7f3b910c501377d669b OV 32750e94f1fbe9a76151e513 adc771bbd7cd1a7ffa2a6d7f7a4470218036222e d39c0043c00cf9d9c0df4d4c5cbdd5dd7478a6f3 OV 59ed2c631b3477a0a21317a4 fb95bd79cc079bde2c1326d707302a86a28cab56 c3a46b5d10e95aba2adbe055e5c4cbe0ff0a6d15 OV 2db13f13e05c942ac3d09997 9d96ed22bc45413b75f102fefff36689dac4ad5e b9f6539fdeea86c9b38cdb0d905b74fab555ffe2 OV 7fdf263c653eed3736fafcc0 32b2d9ef890c114e9f13a9c12c52675da86dc2a3 679f84986479a1c25872dc2058c9a00857bb19cc OV 4f5f51a0ae5468e8548fac6c 115c9b1f8a583c8bd502ea68476dd60af1794c4b 45919e7e38379260756640dd698eb7bdf290ecee OV 3a7eae5e4eda94f0e7dd0d11 326ea2e3e0e19c666022b880138de805000e6724 3ef2281ea2e65d0cbec4507ae3ccce8effc4237f OV 1ead02532f1ea2cda8c60f6a a878d6b89b55a4194ec1e2906098c46114f528b9 35e5c76e572823c5443ff8144008102faf48b822 OV 5b73865fc8687b943ea6b5f3 b6c1e576ea4e96ed580296508fe708f390cb01c0 73e884ecd29a52e6662f868704c4a19c082da18b OV 3253cf3b2a62beb90780f3b9 f7c6f4f6358b9cb2dffc6707de38b3a79ffc202c 4df9493e063b5e940b153008a0b95285d1c2dab6 OV 4fc628846b9fcc3597684810 b0a88d2bbf81eee5d7b0ad48ac266053ba599a29 8e0218b701a9bf0f0be1fc36a5454192b0bbe6d6 OV 7112a33fb8a6d5ab11a0aee9 3f32d7027e0017e07e620900585e393c8524d0d0 9ee14e5e5bf472e8947c3c8e2396b5b6aa815081 OV 5965e8db7339e226fb744f4d a099e9cc4ae7bf86cf62afcc19a5c97be9cdb243 2db35d1764de8cc267e720ee99c701651d146d50 OV 263309ed0ecbfb7bb0feab41 0f0e97316387d41fc124e66c4a911a19bffb436a 99d72fb2170cac723eecf2a35733814ee4e5d526 OV 64fca2db54b5e2ad11f6b2ae b885f1007796b97f3fb249c27f363cac0ef9417d 3e9e2bc3b0fe2a34785800658e697f5c880da508 OV 7988ec59a82ecbbc9727f866 116b82b2bc8fb97238ecbcd496904df8e2e9904a cfe5865b5c8bc4be58156a15a70c736bb7419417 OV 40df1ebb90df2c5f293b0441 cf15d387795e8e6d1673b721b33383c6cd6c1fed 118b85c44c41890cbddc8d87bfb269a8243deb8f OV 48feac2640402d99f6c60c0 5f04c799a5ad25fbb9686c4691ac5e8b3f708d57 25b2c938d49cd9d0d0b8de706c6da3d98a29b899 OV b22bf050b32fe8601f55683 8786e0ee3a25c9bd2c5e61e24dd70cba08723117 d7c88e11cc7c4a01b92cf44ec950986954c59ae3 OV 3a5635dbbbb5e8d37757960e a2eacbff8decd97c40125429a316fdd9cb1b0645 db4b51e0ae7076ca5ba3017bc0d6a09abc892440 OV 4a886ba30fcf1ef29f35fc00 8781856b1af31b9220ce413d71de8b9e1f313938 5fe79dd867081bd049aa7d72db571e5adbad3afe OV 7007da72966e5fb87e78b79 b29f8d87dd66d482ceb70cc2d267f34224a1f48e 3e9e2bc3b0fe2a34785800658e697f5c880da508 OV 1f82eba09d930201c7aca17c 28d59911ec01d5ba75bdc8b52997bacca8d88da9 2dde466ba1679082241629a84163b96e584ae1f7 OV 46dfa4aa6d09a32bd67365d df4aa87be522fd9be5e788a24fd9d8bf81aa315d 3e9e2bc3b0fe2a34785800658e697f5c880da508 OV 1531e6df1924c8638cea1669 4f338a2610eac62dddbe88884533365cb7263c82 c1887562e52ab5e35c43e54ac6ff92072cdd82c1 OV 77d424423e847f84153fe7d5 7876883b334e2205a3959fd5ebda6ad59654b484 e855267a3070184a3beed18f6f5030fb1a47598c OV 927e15edaa9e2717d12cbcd 2e7a0487b9c72941b2fa3c2139df2dac9d8950d1 c032785f883af8dd4954f0a2d58e255170114cfa OV 67187c4979fe28f946342238 ad6247e5ee41bfde146ff36672b0c0bf36df57ac 34d2c16cba69543c6fd4b7e4c58dfa64247604f9 OV 21286bf24a31f6103f1ed33d 5521337aa95f77d10a553bd9b3a15881f8869a3d 7d6b6d73c0ed8d19298f70d0c9059dc279ea3046 OV 745d235ff58a5c0f9649a961 9e6629f2c6e5d805bfb4f898279cd2a19c8e93a8 df99455555a343823707338b319630372341dc81 Expected results: EKUs should have been added
This is just a comment to say all remaining certificates except 5866b4cf0214dc2249c38e61 were recorded in the CRL issued today at 12:00 GMT. This error was corrected and 5866b4cf0214dc2249c38e61 has also now been revoked. Please note that as I was listing serial numbers in excel therefore as some of the serials were prefixed with a 0 they were incorrectly removed so the actual list (now 100 % revoked) was:- Number Type Serial Number fingerprint (SHA1 Hash) SKI (SHA1 basis) 1 EV 4d079d428eb809fc0623ddab da5e837f0a3aa132533dc65caec3a93880d38a13 0c5deb167bc18e4210c60b3648e0ac13331d4b15 2 EV 32343ebda6bb7d29ad9d533f 49351b8ce9cbf4173ef8cb59021dd42f1197fac8 b18cb0c5f98027618281a973e48ef2b05a6bb121 3 EV 6fc40ffa5f12f39183b5110d 0b722fa15635930a207cf43c3d7d7218ed8f77c9 f4b655bdbc96f2f46fd4d792e1f5ce69ba79895d 4 EV 607fa0dacadd12b13fe890fe 054ef2c66b31e5730d4e7432621c7158224faca9 1873bbe797bcb6d3c8a0079a6b438ca6d2ce00d9 1 OV 64fca2db54b5e2ad11f6b2ae b885f1007796b97f3fb249c27f363cac0ef9417d 3e9e2bc3b0fe2a34785800658e697f5c880da508 2 OV 2db13f13e05c942ac3d09997 9d96ed22bc45413b75f102fefff36689dac4ad5e b9f6539fdeea86c9b38cdb0d905b74fab555ffe2 3 OV 54ec6bdc300babc12bc3ece7 9a7c3f7cd08abe14655929136dc37eef25ded4bc c8942e09167a3f5272171bd30aaa4cf4d0490cc9 4 OV 4eadf4736c2b57e72a840393 ca85b217d0b51464f10c2c65e7dd1ee6786900ac 9a626edbd027f1ec5c2b1b608188f290f8bb1024 5 OV 63cbf2fca36bbe0b66871d46 4e0a995c0f1d978b15cc0227c5a9dfa7805b28d1 debf3a1253ef5de52a4cf701ff2f999315ed63dd 6 OV 5ecad8a1558ac1809e7afd29 9b27f11d9355421ae9cfc9655b9e40de44a944c0 a58485280cfccf5f358f842c2e1f003bb1321073 7 OV 59ed2c631b3477a0a21317a4 fb95bd79cc079bde2c1326d707302a86a28cab56 c3a46b5d10e95aba2adbe055e5c4cbe0ff0a6d15 8 OV 5965e8db7339e226fb744f4d a099e9cc4ae7bf86cf62afcc19a5c97be9cdb243 2db35d1764de8cc267e720ee99c701651d146d50 9 OV 59797e6231cf81f64745e36a 2562ea2ed06f40d1522d109eae0ddc4b5cdeb3af bd24ce3fedf5b0c4bbd1a29734aa61bf94d2a662 10 OV 4250e6183828d2d86566877f 991a4fb0dee05fb45be1c67f54c38e22b39360a9 d9cd29e0dbe7dcbea0700ffcebcd488373184862 11 OV 32750e94f1fbe9a76151e513 adc771bbd7cd1a7ffa2a6d7f7a4470218036222e d39c0043c00cf9d9c0df4d4c5cbdd5dd7478a6f3 12 OV 7112a33fb8a6d5ab11a0aee9 3f32d7027e0017e07e620900585e393c8524d0d0 9ee14e5e5bf472e8947c3c8e2396b5b6aa815081 13 OV 5bfbd499eb1161ebfda79283 cea584d00d19530b1e4da03b1e2047f3fb37296f 7129fc5c556a4884e0c600c55a8cfe0f795685a7 14 OV 59db110675b18435c2bbd30c 66968094d5a14552c4ccdbc1c789ed38864ff6ca 46d0880bd1747500e9b3111cfbf9bdc0e80c2be5 15 OV 722a3c55c28cb94af3ea943a fb31c558ff63924577a85105ba5462236eaf196a af08d8d10a10149d1bf7a7f3b910c501377d669b 16 OV 4fc628846b9fcc3597684810 b0a88d2bbf81eee5d7b0ad48ac266053ba599a29 8e0218b701a9bf0f0be1fc36a5454192b0bbe6d6 17 OV 745d235ff58a5c0f9649a961 9e6629f2c6e5d805bfb4f898279cd2a19c8e93a8 df99455555a343823707338b319630372341dc81 18 OV 2806dcafc421c477bf8dd956 bdaaf9dd7a919c747790c6a23a7fc93d0a8a5be1 3d9a238ced66a7f6a9859dc56719bc34077dfbd3 19 OV 46f78873592ce59c32206e40 4b34abd05e7708448724c1c59e5b2cdea6e47d0d 33b4beea864c03ed5c1926fc8ebf2b4d485134a1 20 OV 27efb3cc0c836c56ebf0a826 9825653ff2a5d6366c81a20a1181ea91df6c3a3f e1a7e2078daf6e991ba45b243c29170d6a90bcf0 21 OV 3253cf3b2a62beb90780f3b9 f7c6f4f6358b9cb2dffc6707de38b3a79ffc202c 4df9493e063b5e940b153008a0b95285d1c2dab6 22 OV 21286bf24a31f6103f1ed33d 5521337aa95f77d10a553bd9b3a15881f8869a3d 7d6b6d73c0ed8d19298f70d0c9059dc279ea3046 23 OV 7a4c40dd40dde84c904333a3 4358a8a6045c57e1fe15a8e969c8f7acd5e1e203 70c23165f9bfb98780a2897dcbaaccf52891e504 24 OV 734ccfe93797326ae5304a21 e7370f2b1b8f36a38cdd48e64d33aa1cfaf244d2 451cbd98b86719b4a528816e3493e29789bc83f1 25 OV 275f01a04700c859562add82 780f4250585db93d639aee5f696b1f4e45c789be c9ac2750220cb5751b68d6e2f75b0aff8617c693 26 OV 5b73865fc8687b943ea6b5f3 b6c1e576ea4e96ed580296508fe708f390cb01c0 73e884ecd29a52e6662f868704c4a19c082da18b 27 OV 67187c4979fe28f946342238 ad6247e5ee41bfde146ff36672b0c0bf36df57ac 34d2c16cba69543c6fd4b7e4c58dfa64247604f9 28 OV 5ec55e7866ea06cdc88ad6e9 26bdcfa00c65eec8ca2736e33322f2e5b3084947 7fc28c6b1e8f6ccd72ad443bc5e16eadfa715545 29 OV 668a95303a2560e00ee16019 99816b5117c91a3b8baf971c115719653ffc25ed debf3a1253ef5de52a4cf701ff2f999315ed63dd 30 OV 7644362dcd336b0be31d7ab4 c4ae925976fb16cdb3c5d009577d807dcc681a93 a999ba8be427094d9603c2e117d502772853fc63 31 OV 1ead02532f1ea2cda8c60f6a a878d6b89b55a4194ec1e2906098c46114f528b9 35e5c76e572823c5443ff8144008102faf48b822 32 OV 77d424423e847f84153fe7d5 7876883b334e2205a3959fd5ebda6ad59654b484 e855267a3070184a3beed18f6f5030fb1a47598c 33 OV 3080edd5ed5359f8583da62c 0ee0610b5e685ec57785525db3a0831e8a1a4137 2981d9ac867fe22fdb7e695684fb5db8cf85e611 34 OV 6352f1ae122aa7d538b2c28a 481ff746d168800279af3fdb6c70c4875ab2afb0 f265051c63764f79ed098029d237948e7e605031 35 OV 6be28d7939b80348d72607dd 96d37e0639a94e39474833b65ee4848d08384341 eb74dc6f4aaa466a0c99e4639f35905c2b0beaab 36 OV 3a7eae5e4eda94f0e7dd0d11 326ea2e3e0e19c666022b880138de805000e6724 3ef2281ea2e65d0cbec4507ae3ccce8effc4237f 37 OV 4a886ba30fcf1ef29f35fc00 8781856b1af31b9220ce413d71de8b9e1f313938 5fe79dd867081bd049aa7d72db571e5adbad3afe 38 OV 62e3ae889959490a88dfecca f474703845512fd020280bfaa66eb722a6c80513 cf184433b394bfcee993f2e16e0deffcde338411 39 OV 3e13fe72a7cf44c21a5c07d9 cff67ca86f58e7628f69664c386cb01369a87c15 d96ec227ae71276d942c32e5f321c8e861a54897 40 OV 502522e9ceaea1c851de167c 18aa67962851e2c832c94cf6c1dcf96a542a7da6 6db3dd86c1a34b0a3ad709aeaafee2a00af2bbbd 41 OV 4f5f51a0ae5468e8548fac6c 115c9b1f8a583c8bd502ea68476dd60af1794c4b 45919e7e38379260756640dd698eb7bdf290ecee 42 OV 3a5635dbbbb5e8d37757960e a2eacbff8decd97c40125429a316fdd9cb1b0645 db4b51e0ae7076ca5ba3017bc0d6a09abc892440 43 OV 261ada33517e1c80ef245271 14b2cb175a8a4292767172539801a86c5440516a 4d6323d96f1cab88303ff86a5becb89d7cd1021f 44 OV 2f5138045123be0b930fa278 57f28fe863b7d2b5af54092f6723d64397cf3877 baad635d603ef5e43a1de8b363adf9cd5a675f7e 45 OV 3c35fdc1bb9a6c3ce847deae 0c742c3aeedb765c00eda7bdf1e915035466a12c 1d296c2e43df9c17f351edd5d4368699cf2ea12a 46 OV 7fdf263c653eed3736fafcc0 32b2d9ef890c114e9f13a9c12c52675da86dc2a3 679f84986479a1c25872dc2058c9a00857bb19cc 47 OV 40df1ebb90df2c5f293b0441 cf15d387795e8e6d1673b721b33383c6cd6c1fed 118b85c44c41890cbddc8d87bfb269a8243deb8f 48 OV 2c1524c605377282a3974026 fb10621a9b971ddb6d1bb6c981f87754ebc104ef 2ead37c4296637a678433bc0ac23d7b87a108608 49 OV 68e0870e02c41cd9f4c46129 36729e2dfddb9ebc47a686afc7e4c354d615393e 14229aecfddb653cb95a77d53e20e4b3c501ceb7 50 OV 1086a789620fcf2fb039e628 52205c8801dbf0a6b7d6ebc40b39fef345aac720 65ea594d4a7bbb1d479a5f95e62cbae21bded9c7 51 OV 53632036ac03ba2096ffd82f 7604f27059b35dc52427903ae647f2fa3b26e4dc 6f35e43f1f649141e0029d528002e32b4af85020 52 OV 1c280ecd6bd1962ddf77cda0 5caf8db68956a4396b7085b4750433308c29d7b2 d705488a6929e2ca27ea0c49e20c6363370dd601 53 OV 67b95c0759fd072b6b903e88 62ba92f8bbc2ddc97d30a585588a54f6ef876803 ae64b121cf20687277d0e7950968bd1dba9c84a9 54 OV 5866b4cf0214dc2249c38e61 83e5c00b5a79cf64406a9aed6ef57ba6cb858532 c474f5990b68b91dd6b2f0b73b3a68ea79588a7b 55 OV 3140c1ad475e5507111fcbfe b74d1cb566a390e7d49e89be143ee58b69fbe005 000bbe4e241878d723907e8087afa8b376469f79 56 OV 263309ed0ecbfb7bb0feab41 0f0e97316387d41fc124e66c4a911a19bffb436a 99d72fb2170cac723eecf2a35733814ee4e5d526 57 OV 7988ec59a82ecbbc9727f866 116b82b2bc8fb97238ecbcd496904df8e2e9904a cfe5865b5c8bc4be58156a15a70c736bb7419417 58 OV 048feac2640402d99f6c60c0 5f04c799a5ad25fbb9686c4691ac5e8b3f708d57 25b2c938d49cd9d0d0b8de706c6da3d98a29b899 59 OV 0b22bf050b32fe8601f55683 8786e0ee3a25c9bd2c5e61e24dd70cba08723117 d7c88e11cc7c4a01b92cf44ec950986954c59ae3 60 OV 07007da72966e5fb87e78b79 b29f8d87dd66d482ceb70cc2d267f34224a1f48e 3e9e2bc3b0fe2a34785800658e697f5c880da508 61 OV 1f82eba09d930201c7aca17c 28d59911ec01d5ba75bdc8b52997bacca8d88da9 2dde466ba1679082241629a84163b96e584ae1f7 62 OV 046dfa4aa6d09a32bd67365d df4aa87be522fd9be5e788a24fd9d8bf81aa315d 3e9e2bc3b0fe2a34785800658e697f5c880da508 63 OV 1531e6df1924c8638cea1669 4f338a2610eac62dddbe88884533365cb7263c82 c1887562e52ab5e35c43e54ac6ff92072cdd82c1 64 OV 0927e15edaa9e2717d12cbcd 2e7a0487b9c72941b2fa3c2139df2dac9d8950d1 c032785f883af8dd4954f0a2d58e255170114cfa
Hi Steve, Thank you for reporting this issue to us. (In reply to Steve Roylance from comment #0) > cc CABFORUM Public list via Doug Note that I've not seen this go across the CABF public list yet. > and therefore the bug does not affect all re-issues made. The bug fails > to populate the Extended Key Usage correctly leaving these key usages out of > the certificate (i.e. an empty EKU) To confirm: is this an EKU extension without any EKUs, or is this a missing EKU? It seems like the former but I want to be sure. > other customers is therefore low as we have exiting relationships with all Hopefully "existing" rather than "exiting" ;-) Out of curiosity, what has been the reported experience with these certificates? Do they work for SSL nowhere, in some clients or in all clients? Gerv
Hi Gerv, Here's the mail Doug sent, but I too did not see in my mail, only in a forward from him. From: Doug Beattie Sent: Tuesday, September 20, 2016 4:48 PM To: CABFPub Subject: Public disclosure of 68 GlobalSign SSL certificates issued without EKU or KU The EKU was missing so actually the latter. i.e. No EKU at all rather than EKU set to AnyEKU Maybe I meant "exciting" ;-) I'll see if I can arrange for the support team to comment to this post if there's a particular application that failed and therefore alerted us.
I don't have that message from Doug. Perhaps you should check with some other subscribers and if the failure seems global, resend. Gerv
The email is here, I'm not sure why so many people did not receive it: https://cabforum.org/pipermail/public/2016-September/008436.html
Doug: It looks like some issue with either the CA/B Forum Mailman config or the domain policies for globalsign.com, as it's failing the DMARC config. Many mail clients would move such messages to spam (because they are sent by cabforum.org but claim to be sent by you). Wayne was supposed to have tweaked the mailman config for this (c.f. https://wiki.list.org/DEV/DMARC ) to the "Munge From" option. My mail from Jan 28, 2016 suggests he was going to look into this. That's at least why it's flagged as "Spam" in GMail, and unless you have explicit rules setup as I do (e.g. to assign a label or mark important), GMail-based clients will move it to spam. So, it's not your fault, but it may be worth following up with Wayne to make sure everything is configured well.
Blocks: BR-Compliance
This comment is to provide an update of this bug. Last weekend we conducted one more thorough investigation of this bug, and discovered that there were 11 more OV certificates without KU and EKU due to the same code bug and issued during the same period as the 68 reported previously. These 11 were stored in a different table because of different customer order type. We confirmed the same bug caused these 11 had been solved by the same emergency fix. We had since contacted all the 11 impacted customers, and all these 11 certificates had been revoked via CRL and OCSP as end of Tuesday, 11th Oct. The serial numbers / Fingerprints / SKIs of the 11 are, Number Type Serial Number Fingerprint (SHA1 Hash) SKI (SHA1 Basis) 1 OV 03dcaffb7c401d740baa0905 edfe194a7ff0913b0179a29580dfd20424776c27 b60ae46762cbba24327a28d8647a304489e4a3a5 2 OV 492e927cae6d085183d4415d 9fd860c2bdbbf6877218de549e16ea151c63f846 8523f341601dd5383172f5ea46d9cbe5eee33d82 3 OV 3b56a590b28472568a5c5cc3 ‎035a944bf5e7c4f5e3e13aae0bbf9181f316af1b 3d5828f7714f0eaca4401c896e1325f2826f0844 4 OV 38d7587b9ec2651e572d156b ‎67babfc4077079e53df5186467895629f7d2b4b9 ba89b90202bc1cf4089ddbf6d8b239ed6f5cd599 5 OV 23b62bf39b10657a08e159fd ‎695a9f12efeba3e3fcd38f7c991c6570e370851a 6caf3e938a87a45150b5493d364f74a10ab312e9 6 OV 79deb8e8f5ffda95031dee61 c80f1f54b394e24e613ceeeee16abdf7d6f16e00 39d08b11d23d07e2e2157ac698a5e830810d4f07 7 OV 7e3870ad3ad26a6f4a746b2f 1f79d58d623873917b4105ed6bd823a1245ccab4 8061f4832ec581439e82e65de76200b22758a04f 8 OV 35be46077987d4163d9a95b9 ‎72f60c3284c722819730c58eaae117a791b03343 1db1fa987fde18f3619fcfe92bbf7a0d4913070a 9 OV 5bf7efad362c0e407f199b67 81858baf881a77aed25dfdebcdabe0266cf04b37 9149ce64d6c39048173e78dcedf26a86185836fb 10 OV 7273514171ba155fb02d93cb ‎60b09e3e12e325a802afdbefdbdb32c21fa6e810 f1d2c55c110a500513a4d3c35ebc0f391db5d54e 11 OV 5caa982d907a9a3bc1972860 9458601ecb95c65a22b14ae00b5d7ba4356c9162 740ccdd82f3ce7b3ef32a83ec39ed12b9bbd4013
Whiteboard: BR Compliance
As I understand it, the problem that allowed these certificates to be issued has been fixed, and all of the impacted certs have been identified and revoked. I don't think we need to add these certs to OneCRL. Does anyone disagree? I don't think there are anymore action items for GlobalSign in this bug, so I think this bug may be closed as fixed.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
I agree that this bug can be closed, and that there is no need to add these certs to OneCRL. They were BR-non-compliant, but not issued to the wrong people. Gerv
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.