DigiCert: TI Trust Technologies Global CA issued certificate with no subject alternative name extension

NEW
Assigned to

Status

NSS
CA Certificate Mis-Issuance
a year ago
a month ago

People

(Reporter: keeler, Assigned: Ben Wilson, NeedInfo)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-compliance])

In July TI Trust Technologies Global CA issued a certificate with no subject alternative name extension: https://crt.sh/?id=26361345&opt=cablint

It doesn't look like an ongoing problem, but we should reach out and make sure they have a process in place for preventing this and similar problems in the future.

Comment 1

a year ago
Ben and Jeremy, looks like TI Trust Technologies Global CA is one of DigiCert's CA Hierarchies. Would you please check with them to make sure they are no longer issuing SSL certs without SAN?
(Assignee)

Comment 2

a year ago
We checked with Telecom Italia Trust Technologies regarding this no-SAN certificate and regarding earlier issued SHA1 certificates.  They responded that these were logged and remediated as bugs in their systems, and should not re-occur.  ("Regarding the “no-SAN” certificate issued in July, this happened because of a bug (already fixed) in the in the check on the presence of the attribute SAN in the csr of our provisioning system.")

Updated

a year ago
Whiteboard: BR Compliance

Updated

8 months ago
Summary: TI Trust Technologies Global CA issued certificate with no subject alternative name extension → DigiCert: TI Trust Technologies Global CA issued certificate with no subject alternative name extension

Updated

8 months ago
Component: CA Certificates → CA Certificate Mis-Issuance
Whiteboard: BR Compliance → [ca-compliance]

Updated

7 months ago
Product: mozilla.org → NSS

Comment 3

2 months ago
Ben: Can you provide an update on this bug on the status of TI Trust Technologies? My understanding is that they have been migrated to a managed infrastructure, but I think an update here would be good before we close this bug out.
Flags: needinfo?(ben.wilson)
QA Contact: gerv

Comment 4

2 months ago
Hey Ryan - they are in process of migration.  We're still working with them to figure out what date we can add their old CA to OneCRL and when we can revoke it. We didn't want to close this one until we got them to commit to a set date.

Comment 5

2 months ago
Thanks. Without wanting to spread the discussion out around several bugs, can you provide an update about the timelines here towards making a decision?

In wanting to apply a consistent standard, and a consistent expectation of communication, I think it's reasonable to have an expectation of a concrete date to be set soon.

Comment 6

2 months ago
Yes.  We currently proposed Oct 31, 2017 as the OneCRL date and Dec 29, 2017 as the revocation date.  TI Trust Systems is looking at the impact of those dates and should reply to us shortly.  They just barely started migrating to the DigiCert-hosted issuing CA.  I'll update the bug when the respond
Flags: needinfo?(jeremy.rowley)

Comment 7

2 months ago
Update: We're currently performing the domain validation on all domains used by TI Trust Systems. Once this is complete, they will begin migration to a hosted solution.

Comment 8

a month ago
Can you confirm the migration is still scheduled in ~2 weeks (Oct 31)? It didn't look like there was an update to Comment #6

Comment 9

a month ago
They are currently migrating.  They have migrated 800+ certs so far. I doubt we'll finish the migration by Oct 31.  We ran into some language complications while trying to complete the domain validation process. I suspect they will finish closer to the end of Nov. The last few always take the longest to transfer over.
Flags: needinfo?(jeremy.rowley)

Updated

a month ago
Assignee: kwilson → ben.wilson
You need to log in before you can comment on or make changes to this bug.