SHA-1 issuance by Symantec root

RESOLVED WONTFIX

Status

NSS
CA Certificate Root Program
RESOLVED WONTFIX
2 years ago
a year ago

People

(Reporter: gerv, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

https://crt.sh/?id=13407116&opt=cablint is a EV CT pre-certificate for the domain name "www.usaa.com" and 13 other SANs, which uses the SHA-1 hash algorithm and was issued in 2016. This cert was issued by the intermediate "Symantec Class 3 EV SSL CA - G2":
https://crt.sh/?caid=1534&opt=cablint
which chains up to "VeriSign Class 3 Public Primary Certification Authority - G5", a root certificate trusted by Mozilla to issue server certificates.

We recognise this certificate is a pre-cert and not a full cert. However, RFC6962 says:

"The signature on the TBSCertificate indicates the certificate authority's intent to issue a certificate. This intent is considered binding (i.e., misissuance of the Precertificate is considered equal to misissuance of the final certificate)."

Therefore, this issuance is in violation of the Baseline Requirements, which Mozilla policies require adherence to. Please can you explain what has happened, with particular reference to the following questions:

A) Does the CP/CPS of the relevant issuing CA forbid the use of SHA-1? If not, why not?

B) What is the audit status of the relevant issuing CAs?

C) What technical controls are in place within your CA to prevent SHA-1 issuance and how were they bypassed?

D) Was the full certificate in fact created? Was it transmitted to USAA?

Gerv

Comment 1

2 years ago
Gerv, this was disclosed back in March and discussed on dev.security.policy at https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/64$3Aa9$3A32$3A73$3Aa4$3A19$3Ad1$3A64/mozilla.dev.security.policy/siHOXppxE9k/0PLPVcktBAAJ.

-Rick
So it was. Thank you for that reminder; I had forgotten.

Reviewing that discussion, Sanjay Modi wrote:
 
"Following discussions with the customer who initiated this order, we have identified a technical deficiency in our system that allowed for hash algorithm modifications by a subset of customers to existing enrollments in limited circumstances, and only when pending administrator review prior to issuance.  We released a patch today to add this case to our system-wide SHA1 blocking mechanisms. In addition, as an added precaution, we are evaluating an update to actively change any SHA1 orders encountered in our system to SHA256."

I think if Mozilla wanted to take additional action regarding this cert, we should have taken it back then.

Gerv
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX

Updated

a year ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.