Closed
Bug 1353827
Opened 7 years ago
Closed 7 years ago
DigiCert: DigiCert issued cert with CN too long
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)
Details
(Whiteboard: [ca-compliance] [ev-misissuance] [iv-misissuance])
Reported in the mozilla.dev.security.policy forum: https://groups.google.com/d/msg/mozilla.dev.security.policy/Cyyyjdf_t2Q/ZueUP63JEAAJ DigiCert issued cert (https://crt.sh/?id=98120546) with commonName too long (67 characters). RFC 5280 defines the upper-bound of the commonName field as 64 characters. Digicert also has many certificates were the organizationName is too long. An example: https://crt.sh/?id=100279600. See https://crt.sh/?x509lint=363 for a list of recent ones.
Comment 1•7 years ago
|
||
Thanks Kathleen. We've since gone through 5280 to determine what exactly is required on encoding and length of fields. We've cut the various fields to the correct length now but plan to continue a ballot in the CAB Forum to get an exception to this requirement as 64 char is insufficient to recognize international organizations, and application software doesn't care about the limit. Part of the confusion leading to longer values in these fields is the EV Guidelines explicitly state that the limit is 64 characters while the same language is absent from the BRs. The lack of information in the BRs compared to the EVs is odd, especially where the limits are set in the RFC. We should update this language.
Updated•7 years ago
|
Product: mozilla.org → NSS
Comment 2•7 years ago
|
||
Jeremy: Could you provide a brief timeline of the mitigation and confirm all mitigations are in place? I'm wanting to close out some of the older compliance bugs that predate https://wiki.mozilla.org/CA/Responding_To_A_Misissuance , but wanting to make sure that the bug provides a holistic picture of all relevant information related to this incident.
Flags: needinfo?(jeremy.rowley)
QA Contact: gerv
Comment 3•7 years ago
|
||
Sure. 1. Mar 8, 2017 - Reported by Ryan Sleevi on Mozilla dev policy 2. Mar 8, 2017 - DigiCert began investigation 3. Mar 8, 2017 - DigiCert revoked system 4. Mar 8, 2017 - DigiCert scanned system for names that were too long 5. Mar 9, 2017 - Jeremy replied to Ryan about the root cause: "is certificate was issued by an employee of DigiCert as a test on our systems to see if we'd resolved an issue with a path permitting CN fields greater than 64 characters. Obviously, the issue wasn't resolved and the JIRA is still open. We're deploying a patch shortly to fix path and limit the string to 64 characters. All required validation was completed successfully prior to issuing the certificate. Although we have a policy against using live certificates for testing, the policy was not followed in this case. Prior to issuing the certificate, we actually checked to see if any other certificates existed with a CN length longer than 64 chars (basically to see if this path had ever been used by a customer). There are no other certificates with that long of common name, meaning this issue should be resolved with the patch. " 6. Mar 9, 2017 - DigiCert patched issuing system I know there was a date when the scan completed, but I need to talk to someone at work as I don't have the exact date available.
Comment 4•7 years ago
|
||
Okay - we ran the scan on Mar 9th as well and found the only long CN included was the test one we issued.
Flags: needinfo?(jeremy.rowley)
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•1 year ago
|
Product: NSS → CA Program
Updated•1 year ago
|
Whiteboard: [ca-compliance] → [ca-compliance] [ev-misissuance] [iv-misissuance]
You need to log in
before you can comment on or make changes to this bug.
Description
•