Closed Bug 1315019 Opened 9 years ago Closed 9 years ago

SHA-1 issuance by TeliaSonera root

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: gerv, Assigned: kathleen.a.wilson)

References

Details

https://crt.sh/?id=15647440&opt=cablint is a certificate for the domain name "fieldwork.services.logica.com", which uses the SHA-1 hash algorithm and were issued in 2016. This cert was issued by the intermediate "TeliaSonera Server CA v1": https://crt.sh/?caid=752&opt=cablint which chains up to "TeliaSonera Root CA v1", a root certificate trusted by Mozilla to issue server certificates. This issuance is in violation of the Baseline Requirements, which Mozilla policies require adherence to. Please can you explain what has happened, with particular reference to the following questions: A) Does the CP/CPS of the relevant issuing CA forbid the use of SHA-1? If not, why not? B) What is the audit status of the relevant issuing CAs? C) What technical controls are in place within your CA to prevent SHA-1 issuance and how were they bypassed? Gerv
Pekka, Please look into this and update this bug with the information listed above as soon as possible.
Blocks: BR-Compliance
This is the same discovery we already replied in May here: https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/teliasonera%7Csort:relevance/mozilla.dev.security.policy/xKibg5sf5Oc/Q7f-bWxAAAAJ Shortly it was a human mistake by one of our admins. It can't and won't happen again. This single certificate will be revoked soon together with our other (issued early 2014) still valid SHA-1 certificates. a) Only SHA-2 has been allowed by our CPS b) Audit status is good and audit results are publicly available here: https://repository.trust.teliasonera.com/index.html c) The particular SHA-1 certificate bypassed the technical controls because it was enrolled by using CA admin console. Controls in our normal systems include authorization and configuration details so that SHA-1 certificates can't be issued.
OK, thank you. Gerv
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.