Closed Bug 1353827 Opened 7 years ago Closed 7 years ago

DigiCert: DigiCert issued cert with CN too long

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)

Details

(Whiteboard: [ca-compliance] [ev-misissuance] [iv-misissuance]) 

Reported in the mozilla.dev.security.policy forum:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Cyyyjdf_t2Q/ZueUP63JEAAJ

DigiCert issued cert (https://crt.sh/?id=98120546) with commonName too long (67 characters). RFC 5280 defines the upper-bound of the commonName field as 64 characters.

Digicert also has many certificates were the organizationName is too
long. An example: https://crt.sh/?id=100279600. See
https://crt.sh/?x509lint=363 for a list of recent ones.
Thanks Kathleen. We've since gone through 5280 to determine what exactly is required on encoding and length of fields. We've cut the various fields to the correct length now but plan to continue a ballot in the CAB Forum to get an exception to this requirement as 64 char is insufficient to recognize international organizations, and application software doesn't care about the limit. Part of the confusion leading to longer values in these fields is the EV Guidelines explicitly state that the limit is 64 characters while the same language is absent from the BRs. The lack of information in the BRs compared to the EVs is odd, especially where the limits are set in the RFC.  We should update this language.
Product: mozilla.org → NSS
Jeremy: Could you provide a brief timeline of the mitigation and confirm all mitigations are in place? I'm wanting to close out some of the older compliance bugs that predate https://wiki.mozilla.org/CA/Responding_To_A_Misissuance , but wanting to make sure that the bug provides a holistic picture of all relevant information related to this incident.
Flags: needinfo?(jeremy.rowley)
QA Contact: gerv
Sure. 

1. Mar 8, 2017 - Reported by Ryan Sleevi on Mozilla dev policy
2. Mar 8, 2017 - DigiCert began investigation
3. Mar 8, 2017 - DigiCert revoked system
4. Mar 8, 2017 - DigiCert scanned system for names that were too long
5. Mar 9, 2017 - Jeremy replied to Ryan about the root cause:
"is certificate was issued by an employee of DigiCert as a test on 
our systems to see if we'd resolved an issue with a path permitting CN 
fields greater than 64 characters. Obviously, the issue wasn't resolved and 
the JIRA is still open. We're deploying a patch shortly to fix path and 
limit the string to 64 characters. All required validation was completed 
successfully prior to issuing the certificate. Although we have a policy 
against using live certificates for testing, the policy was not followed in 
this case. Prior to issuing the certificate, we actually checked to see if 
any other certificates existed with a CN length longer than 64 chars 
(basically to see if this path had ever been used by a customer). There are 
no other certificates with that long of common name, meaning this issue 
should be resolved with the patch. "

6. Mar 9, 2017 - DigiCert patched issuing system

I know there was a date when the scan completed, but I need to talk to someone at work as I don't have the exact date available.
Okay - we ran the scan on Mar 9th as well and found the only long CN included was the test one we issued.
Flags: needinfo?(jeremy.rowley)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ev-misissuance] [iv-misissuance]
You need to log in before you can comment on or make changes to this bug.