Closed
Bug 1339339
Opened 5 years ago
Closed 5 years ago
DigiCert: Non-BR Compliant Certificates - missing CP/CPS OID
Categories
(NSS :: CA Certificate Compliance, task)
NSS
CA Certificate Compliance
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jeremy.rowley, Assigned: jeremy.rowley)
References
Details
(Whiteboard: [ca-compliance] )
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: For the purposes of SSL issuance, Microsoft operates a PKI that chains to a DigiCert Root (Baltimore CyberTrust Root), and since 2014, we (Microsoft) have been running a Webtrust-audited SSL hierarchy, which later obtained a Baseline Requirements seal as well. Recently, we introduced a new environment for this service, and during preproduction testing, we found that the certificates issued by the new CAs were missing the CP/CPS OID. While only a handful of impacted certificates were public-facing, and a missing CP/CPS OID doesn’t represent a security issue, we recognize this is not aligned with the standards outlined in Baseline Requirements. Therefore, we quickly located the error causing the mislabeling and corrected it. Other than this, the certificates were issued in accordance with Baseline Requirements, and Microsoft has taken action to prevent this from reoccurring.
|
Assignee | |
Updated•5 years ago
|
Blocks: BR-Compliance
Whiteboard: BR Compliance
|
||
Comment 1•5 years ago
|
||
Thanks, Jeremy, for creating this bug. Please keep us updated (by adding comments to this bug) about remaining action items, and when this concern has been completely resolved.
Assignee: kwilson → jeremy.rowley
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
||
Updated•5 years ago
|
Summary: Non-BR Compliant Certificates → Non-BR Compliant Certificates - missing CP/CPS OID
|
|
Assignee | |
Comment 2•5 years ago
|
||
80% of the certificates have been revoked. By the next update, 100% of the certs will be revoked.
|
|
Assignee | |
Comment 3•5 years ago
|
||
Update - all of these certs are revoked.
|
||
Updated•5 years ago
|
Summary: Non-BR Compliant Certificates - missing CP/CPS OID → DigiCert: Non-BR Compliant Certificates - missing CP/CPS OID
|
|
||
Updated•5 years ago
|
Component: CA Certificates → CA Certificate Mis-Issuance
Whiteboard: BR Compliance → [ca-compliance]
|
|
Assignee | |
Comment 4•5 years ago
|
||
I think this is closed, right? All certs were revoked and the system was patched to ensure a CP OID is included each time.
|
|
||
Updated•5 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Product: mozilla.org → NSS
You need to log in
before you can comment on or make changes to this bug.
Description
•