1304895 - DigiCert: TI Trust Technologies Global CA issued certificate with no subject alternative name extension

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

In July TI Trust Technologies Global CA issued a certificate with no subject alternative name extension: https://crt.sh/?id=26361345&opt=cablint

It doesn't look like an ongoing problem, but we should reach out and make sure they have a process in place for preventing this and similar problems in the future.

Comment 1

[Kathleen Wilson]

Ben and Jeremy, looks like TI Trust Technologies Global CA is one of DigiCert's CA Hierarchies. Would you please check with them to make sure they are no longer issuing SSL certs without SAN?

Comment 2

[Ben Wilson]

We checked with Telecom Italia Trust Technologies regarding this no-SAN certificate and regarding earlier issued SHA1 certificates.  They responded that these were logged and remediated as bugs in their systems, and should not re-occur.  ("Regarding the “no-SAN” certificate issued in July, this happened because of a bug (already fixed) in the in the check on the presence of the attribute SAN in the csr of our provisioning system.")

Comment 3

[Ryan Sleevi]

Ben: Can you provide an update on this bug on the status of TI Trust Technologies? My understanding is that they have been migrated to a managed infrastructure, but I think an update here would be good before we close this bug out.

Comment 4

[Jeremy Rowley]

Hey Ryan - they are in process of migration.  We're still working with them to figure out what date we can add their old CA to OneCRL and when we can revoke it. We didn't want to close this one until we got them to commit to a set date.

Comment 5

[Ryan Sleevi]

Thanks. Without wanting to spread the discussion out around several bugs, can you provide an update about the timelines here towards making a decision?

In wanting to apply a consistent standard, and a consistent expectation of communication, I think it's reasonable to have an expectation of a concrete date to be set soon.

Comment 6

[Jeremy Rowley]

Yes.  We currently proposed Oct 31, 2017 as the OneCRL date and Dec 29, 2017 as the revocation date.  TI Trust Systems is looking at the impact of those dates and should reply to us shortly.  They just barely started migrating to the DigiCert-hosted issuing CA.  I'll update the bug when the respond

Comment 7

[Jeremy Rowley]

Update: We're currently performing the domain validation on all domains used by TI Trust Systems. Once this is complete, they will begin migration to a hosted solution.

Comment 8

[Ryan Sleevi]

Can you confirm the migration is still scheduled in ~2 weeks (Oct 31)? It didn't look like there was an update to Comment #6

Comment 9

[Jeremy Rowley]

They are currently migrating.  They have migrated 800+ certs so far. I doubt we'll finish the migration by Oct 31.  We ran into some language complications while trying to complete the domain validation process. I suspect they will finish closer to the end of Nov. The last few always take the longest to transfer over.

Comment 10

[Gervase Markham [:gerv]]

Jeremy: time for another update here? (Sidenote: it would help to find you in autocomplete if you added your surname to the Name field in your Bugzilla profile...)

Gerv

Comment 11

[Jeremy Rowley]

TI Trust has finished migrating all of their TLS certificates to a hosted solution. They have not finished migrating all of their email certs.  We're working out a date when the issuing CA will be posted to OneCRL. I've proposed by years end but I haven't heard back. They are hoping to have all email certs migrated by around the end of March, at which point we can revoke it.

Comment 12

[Firefox Bug Husbandry Bot]

Changing QA contact per https://bugzilla.mozilla.org/show_bug.cgi?id=1438254

Comment 13

[Ben Wilson]

These CA have been revoked and added to OneCRL - https://bugzilla.mozilla.org/show_bug.cgi?id=1437038. I think this can be closed.