DigiCert: Non-BR Compliant Certificates - missing CP/CPS OID

RESOLVED FIXED

Status

NSS
CA Certificate Mis-Issuance
RESOLVED FIXED
8 months ago
6 months ago

People

(Reporter: Jeremy, Assigned: Jeremy)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-compliance] )

(Assignee)

Description

8 months ago
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

For the purposes of SSL issuance, Microsoft operates a PKI that chains to a DigiCert Root (Baltimore CyberTrust Root), and since 2014, we (Microsoft) have been running a Webtrust-audited SSL hierarchy, which later obtained a Baseline Requirements seal as well. Recently, we introduced a new environment for this service, and during preproduction testing, we found that the certificates issued by the new CAs were missing the CP/CPS OID. While only a handful of impacted certificates were public-facing, and a missing CP/CPS OID doesn’t represent a security issue, we recognize this is not aligned with the standards outlined in Baseline Requirements. Therefore, we quickly located the error causing the mislabeling and corrected it. Other than this, the certificates were issued in accordance with Baseline Requirements, and Microsoft has taken action to prevent this from reoccurring.
(Assignee)

Updated

8 months ago
Blocks: 1029147
Whiteboard: BR Compliance

Comment 1

8 months ago
Thanks, Jeremy, for creating this bug. Please keep us updated (by adding comments to this bug) about remaining action items, and when this concern has been completely resolved.
Assignee: kwilson → jeremy.rowley
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Updated

8 months ago
Summary: Non-BR Compliant Certificates → Non-BR Compliant Certificates - missing CP/CPS OID
(Assignee)

Comment 2

8 months ago
80% of the certificates have been revoked. By the next update, 100% of the certs will be revoked.
(Assignee)

Comment 3

8 months ago
Update - all of these certs are revoked.

Updated

7 months ago
Summary: Non-BR Compliant Certificates - missing CP/CPS OID → DigiCert: Non-BR Compliant Certificates - missing CP/CPS OID

Updated

7 months ago
Component: CA Certificates → CA Certificate Mis-Issuance
Whiteboard: BR Compliance → [ca-compliance]
(Assignee)

Comment 4

7 months ago
I think this is closed, right? All certs were revoked and the system was patched to ensure a CP OID is included each time.

Updated

7 months ago
Status: ASSIGNED → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → FIXED

Updated

6 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.