Closed
Bug 1391058
Opened 7 years ago
Closed 7 years ago
PROCERT: Non-BR-Compliant Certificate Issuance
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1403549
People
(Reporter: kathleen.a.wilson, Assigned: mozilla.psc.procert, NeedInfo)
References
Details
(Whiteboard: [ca-compliance] [uncategorized])
Attachments
(8 files)
|
21.19 KB,
application/pdf
|
Details | |
|
2.00 KB,
application/octet-stream
|
Details | |
|
430.85 KB,
application/pdf
|
Details | |
|
58.96 KB,
image/jpeg
|
Details | |
|
34.06 KB,
application/wps-office.docx
|
Details | |
|
24.37 KB,
application/wps-office.xlsx
|
Details | |
|
2.17 MB,
application/pdf
|
Details | |
|
24.40 KB,
application/wps-office.xlsx
|
Details |
serial number view (procert certificate)
The following problems have been found in certificates issued by your CA, and reported in the mozilla.dev.security.policy forum. Direct links to those discussions are provided for your convenience. To continue inclusion of your CA’s root certificates in Mozilla’s Root Store, you must respond in this bug to provide the following information: 1) How your CA first became aware of the problems listed below (e.g. via a Problem Report, via the discussion in mozilla.dev.security.policy, or via this Bugzilla Bug), and the date. 2) Prompt confirmation that your CA has stopped issuing TLS/SSL certificates with the problems listed below. 3) Complete list of certificates that your CA finds with each of the listed issues during the remediation process. The recommended way to handle this is to ensure each certificate is logged to CT and then attach a CSV file/spreadsheet of the fingerprints or crt.sh IDs, with one list per distinct problem. 4) Summary of the problematic certificates. For each problem listed below: number of certs, date first and last certs with that problem were issued. 5) Explanation about how and why the mistakes were made, and not caught and fixed earlier. 6) List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. 7) Regular updates to confirm when those steps have been completed. Note Section 4.9.1.1 of the CA/Browser Forum’s Baseline Requirements, which states: “The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: … 9. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement; 10. The CA determines that any of the information appearing in the Certificate is inaccurate or misleading; … 14. Revocation is required by the CA’s Certificate Policy and/or Certification Practice Statement; or 15. The technical content or format of the Certificate presents an unacceptable risk to Application Software Suppliers or Relying Parties (e.g. the CA/Browser Forum might determine that a deprecated cryptographic/signature algorithm or key size presents an unacceptable risk and that such Certificates should be revoked and replaced by CAs within a given period of time). However, it is not our intent to introduce additional problems by forcing the immediate revocation of certificates that are not BR compliant when they do not pose an urgent security concern. Therefore, we request that your CA perform careful analysis of the situation. If there is justification to not revoke the problematic certificates, then explain those reasons and provide a timeline for when the bulks of the certificates will expire or be revoked/replaced. We expect that your forthcoming audit statements will indicate the findings of these problems. If your CA will not be revoking the certificates within 24 hours in accordance with the BRs, then that will also need to be listed as a finding in your CA’s BR audit statement. We expect that your CA will work with your auditor (and supervisory body, as appropriate) and the Root Store(s) that your CA participates in to ensure your analysis of the risk and plan of remediation is acceptable. If your CA will not be revoking the problematic certificates as required by the BRs, then we recommend that you also contact the other root programs that your CA participates in to acknowledge this non-compliance and discuss what expectations their Root Programs have with respect to these certificates. The problems reported for your CA in the mozilla.dev.security.policy forum are as follows: ** Failure to respond within 24 hours after Problem Report submitted https://groups.google.com/d/msg/mozilla.dev.security.policy/PrsDfS8AMEk/w2AMK81jAQAJ The problems were reported via your CA’s Problem Reporting Mechanism as listed here: https://ccadb-public.secure.force.com/mozilla/CAInformationReport Therefore, if this is the first time you have received notice of the problem(s) listed below, please review and fix your CA’s Problem Reporting Mechanism to ensure that it will work the next time someone reports a problem like this. ** Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ ** URI in dNSName SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/etp2Yz2fmM4/ayBTsfJnBgAJ ** Reserved IP addresses https://groups.google.com/d/msg/mozilla.dev.security.policy/inocepURbNQ/MmkeMvhyCAAJ ** Common Name not in SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/4oVzlN1xBgAJ
|
||
Comment 1•7 years ago
|
||
There is no wrong issue, let’s see
The SAN field is in fulfillment of the standard, please check the information registered bellow
Subject Alternative Name
DNS Name=http://ripac.insopesca.gob.ve
Other name:
2.16.862.2.2=0c 0c 47 2d 32 30 30 30 30 33 33 39 2d 31
IP Direction=190.9.130.7
Other Name:
1.3.6.1.2.1.32=0c 15 64 6e 73 31 2e 69 6e 73 6f 70 65 73 63 61 2e 6 7 6f 62 2e 76 65
• The DNS name can be solved without any problem, please check the pdf file attachment. That evidence fullfiment the CA Forum Ballon, According to the recommendation of Mozilla in the SAN must contain FQDN (the fully qualified domain name) of the contractor's server, which is fulfilled, as demonstrated in previous mail, what is not stipulated is whether it should contain http or not in the field, and I refer to the regulations of the CAB Forum at this point. Additionally, it complies with the RFC for the FQDN.
• The first Other Name duly comply with the OID standard and corresponds to the RIF (company tax number in Venezuela) of the contracting company, this correspond a formal request from SUSCERTE (Venezuela Government Agency) and is regulated in our corresponding CPS and CP, the second Other Name corresponds to the primary DNS of the DNS registered by the contracting company, both are regulated by the OID registry and in our CPS and CP.
• The IP Address corresponds to a public IP address. This meets the requirements of the CA Forum.
Based on the evidence provided and the indicated standard, the issuance of the certificate was executed under standard and does not generate problems|
|
||
Comment 2•7 years ago
|
||
|
||
Comment 3•7 years ago
|
||
(In reply to alejandrovolcan from comment #1) > There is no wrong issue, let’s see > > > The SAN field is in fulfillment of the standard, please check the > information registered bellow > > > Subject Alternative Name > > DNS Name=http://ripac.insopesca.gob.ve > > Other name: > > 2.16.862.2.2=0c 0c 47 2d 32 30 30 30 30 33 33 39 2d 31 > > IP Direction=190.9.130.7 > > Other Name: > > 1.3.6.1.2.1.32=0c 15 64 6e 73 31 2e 69 6e 73 6f 70 65 73 63 61 2e 6 7 6f > 62 2e 76 65 > > > • The DNS name can be solved without any problem, please check the pdf file > attachment. That evidence fullfiment the CA Forum Ballon, According to the > recommendation of Mozilla in the SAN must contain FQDN (the fully qualified > domain name) of the contractor's server, which is fulfilled, as demonstrated > in previous mail, what is not stipulated is whether it should contain http > or not in the field, and I refer to the regulations of the CAB Forum at this > point. Additionally, it complies with the RFC for the FQDN. This is quite incorrect. See RFC 5280, Section 4.2.1.6, which clearly states: When the subjectAltName extension contains a domain name system label, the domain name MUST be stored in the dNSName (an IA5String). The name MUST be in the "preferred name syntax", as specified by Section 3.5 of [RFC1034] and as modified by Section 2.1 of [RFC1123]. These give clear directions as to what the contents of this field are, aka the "LDH rule" (letters digits hyphens), which explicitly precludes : and / However, even if one was not bothered to look at RFC 1034 or RFC 1123, the immediate following paragraph would hopefully be clear and unambiguous: When the subjectAltName extension contains a URI, the name MUST be stored in the uniformResourceIdentifier (an IA5String). As this is a URI, it is clearly stored in the wrong field. Even if we were to further ignore the RFCs, as PROCERT has, the Baseline Requirements are similarly clear and unambiguous in the definitions for this case: A Domain Name is "The label assigned to a node in the Domain Name System." A Fully-Qualified Domain Name is "A Domain Name that includes the labels of all superior nodes in the Internet Domain Name System" The Baseline Requirements permit FQDNs to be placed in the dNSName of the subjectAltName. By including a URI, it is no longer a Domain Name or FQDN. > > • The first Other Name duly comply with the OID standard and corresponds to > the RIF (company tax number in Venezuela) of the contracting company, this > correspond a formal request from SUSCERTE (Venezuela Government Agency) and > is regulated in our corresponding CPS and CP, the second Other Name > corresponds to the primary DNS of the DNS registered by the contracting > company, both are regulated by the OID registry and in our CPS and CP. That's great, but that's explicitly not permitted by the Baseline Requirements. Section 7.1.4.2.1 states that, for the subjectAltName, "Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server". As the Other Name is neither of these types, it is a violation of the Baseline Requirements. As the Baseline Requirements supercede your CP/CPS (Per Section 2.2 of the Baseline Requirements), it is not acceptable to simply state that you've documented it as such. There is only one reason permissible to include an Other Name - and that is by invoking the terms in Section 9.16.3. I cannot find a detailed reference to the Law requiring such non-conformance in your CPS (https://www.procert.net.ve/documentos/AC-D-0003.pdf ), nor can I find record of such a message to questions@cabforum.org > Based on the evidence provided and the indicated standard, the issuance of > the certificate was executed under standard and does not generate problems Based on the explicit references provided, the issuance of this certificate does not comply with the indicated technical standards nor the industry requirements. As such, it was misissued and non-compliant with the requirements for participation in the Mozilla Root Program.
|
||
Comment 4•7 years ago
|
||
There are three other unrevoked certificates that were identified and reported as misissued: https://crt.sh/?id=99500277&opt=cablint In addition to the disallowed Other Names, this certificate has an ipAddress SAN containing a Reserved IP Address. This is prohibited by Baseline Requirements section 7.1.4.2.1. https://crt.sh/?id=175466182&opt=cablint In addition to the disallowed Other Names, this certificate has contains dnsName SANs with Internal Names. This is prohibited by Baseline Requirements section 7.1.4.2.1. https://crt.sh/?id=151828400&opt=cablint In addition to the disallowed otherNames, this certificate has a subject commonName that is not present as a dnsName SAN. This is prohibited by Baseline Requirements section 7.1.4.2.2(a).
|
||
Comment 5•7 years ago
|
||
As reported on m.d.s.p., PROCERT is issuing certs with evidently non-random serial numbers: https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg07807.html Here's a list of certs on misissued.com: https://misissued.com/batch/12/
|
|
||
Comment 6•7 years ago
|
||
PROCERT's OCSP responder seems to return an OCSP status of "Good" for unissued certificates, in violation of BR section 4.9.10. This OCSP response is for the serial number badca000badca000badca000badca000badca000badca000badca000badca000badca000badca000badca000badca000badca000badca000badca000 which is unlikely to correspond to an issued certificate. As a side note, the OCSP response is signed with SHA-1, and since it reflects an attacker-controlled serial number, is vulnerable to a chosen prefix attack. This is not against policy but is certainly bad practice.
|
|
||
Comment 7•7 years ago
|
||
Can you please confirm that you received these four problem reports via email? If you didn't, please investigate and provide an explanation for why you didn't and what you're doing to fix it. From: Jonathan Rudenberg <jonathan@titanous.com> Subject: Misissuance - invalid characters in certificate SAN dnsNames Message-Id: <023889B5-9EA9-414E-8A9B-753A3452D1A3@titanous.com> Date: Mon, 7 Aug 2017 21:07:38 -0400 To: contacto@procert.net.ve From: Jonathan Rudenberg <jonathan@titanous.com> Subject: Misissuance - Common Name not in SAN Message-Id: <3AAF71AB-8C11-43E0-8361-DEF14D5AB63C@titanous.com> Date: Mon, 7 Aug 2017 21:22:49 -0400 To: contacto@procert.net.ve From: Jonathan Rudenberg <jonathan@titanous.com> Subject: Misissuance - reserved IP addresses Message-Id: <6F5A2E0C-293F-47A1-8E5A-270D9BE19502@titanous.com> Date: Sat, 12 Aug 2017 21:55:59 -0400 To: contacto@procert.net.ve From: Jonathan Rudenberg <jonathan@titanous.com> Subject: Misissuance - invalid dnsNames Message-Id: <9625EA61-CC2D-411A-A124-BF86A0D930A0@titanous.com> Date: Sun, 13 Aug 2017 00:43:29 -0400 To: contacto@procert.net.ve
|
|
||
Comment 8•7 years ago
|
||
Kathleen: I am concerned about the lack of replies to comment #3, but even more concerned about the critical issues highlighted in Comment #4, Comment #5, and Comment #6. Holistically, this shows a lack of awareness or adherence to RFC5280 and the Baseline Requirements, particularly around well-publicized mitigations (for example, lessons learned from the active compromise of past CAs), and thus, this CA may be egregiously out of compliance with Mozilla policy. PROCERT: Can you please indicate when you expect an updated reply, and if it is not within the next 48 hours, why the delay? Please note that the continued participation in the Mozilla Root Store will, in part, be judged based on how comprehensively you can report on the issues highlighted, the underlying causes, and the steps being taken to remedy. Absent a significantly compelling response, my advice would be that the community consider removing this root from distribution and/or moving to block it.
Test OCSP certificate good C:\OpenSSL-Win32\bin>openssl.exe ocsp -issuer PSCProcert.pem -cert prueba.pem -url http://ura.procert.net.ve/ocsp -text -noverify -no_nonce OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: E6577AE996DAD0109B34FFCF7EC433EA16C891EA Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 1F9E3DD8000000000CD7 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 4C9E193241D33969F0AAC858944ED38296B1718C Produced At: Aug 23 13:14:04 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: E6577AE996DAD0109B34FFCF7EC433EA16C891EA Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 1F9E3DD8000000000CD7 Cert Status: good This Update: Aug 22 15:36:32 2017 GMT Next Update: Aug 23 15:36:32 2017 GMT Response Single Extensions: 1.3.6.1.4.1.311.21.4: 170823153632Z . Signature Algorithm: sha1WithRSAEncryption 15:dd:a7:f0:e3:1e:8d:c6:31:7c:7e:f2:ce:4b:11:37:60:2d: 50:23:32:20:5f:b5:b0:a8:48:47:d6:4f:da:19:a8:cb:0e:f1: 2f:76:d5:00:e5:c5:06:c2:bb:d4:c2:d6:6c:2f:a2:e5:d8:52: 53:3b:4b:e7:40:9b:5b:63:97:2e:62:61:6f:53:cb:ab:ad:0f: 58:28:5a:f4:79:10:bd:33:9b:a7:e5:19:cb:1e:8d:49:53:34: eb:ca:59:37:90:e7:c0:0a:cf:36:d7:fd:e5:24:ec:2a:f0:6f: 57:e5:9f:15:bd:38:87:76:a8:0a:32:94:cd:3b:5d:00:75:a3: b6:1a Certificate: Data: Version: 3 (0x2) Serial Number: 75:0b:a7:bd:00:00:00:00:09:8d Signature Algorithm: sha256WithRSAEncryption Issuer: emailAddress=contacto@procert.net.ve, L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert Validity Not Before: Dec 12 20:12:58 2016 GMT Not After : Dec 12 20:12:58 2017 GMT Subject: C=VE, O=PROCERT, CN=ura.procert.net.ve Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9d:1c:28:86:f1:fd:a6:0a:60:56:91:e0:6f:01: 36:76:93:90:aa:d2:34:38:72:4c:4a:bd:86:d4:0d: ce:46:34:d9:2e:21:0c:b4:93:fc:5b:ce:04:60:b5: a1:63:46:22:30:43:37:03:ee:93:19:69:2e:08:d2: 9e:13:87:29:54:4e:fe:dd:ad:dc:c6:8e:1b:ac:a8: df:6f:e6:e9:6d:88:d6:7b:a4:8e:1a:af:82:e4:f5: b4:30:29:da:99:c4:6f:a0:e4:ce:39:28:24:ae:dd: 8b:44:3d:73:3a:85:09:85:22:8d:95:e2:bc:ef:8d: a0:a9:3f:27:43:a5:be:b9:8b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: OCSP Signing OCSP No Check: X509v3 Subject Key Identifier: 4C:9E:19:32:41:D3:39:69:F0:AA:C8:58:94:4E:D3:82:96:B1:71:8C X509v3 Key Usage: critical Digital Signature X509v3 Authority Key Identifier: keyid:41:0F:19:38:AA:99:7F:42:0B:A4:D7:27:98:54:A2:17:4C:2D:51:54 DirName:/CN=Autoridad de Certificacion Raiz del Estado Venezolano/C=VE/L=Caracas/ST=Distrito Capital/O=Sistema Nacional de Certificacion Electronica/OU=Superintendencia de Servicios de Certificacion Electronica/emailAddress=acraiz@suscerte.gob.ve serial:0B X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 2.16.862.11.2.1 CPS: http://www.procert.net.ve/dpc-pc X509v3 Issuer Alternative Name: DNS:procert.net.ve, othername:<unsupported>, othername:<unsupported> Signature Algorithm: sha256WithRSAEncryption 38:05:28:31:f3:38:08:2e:b0:34:67:93:d3:85:e5:8d:46:a1: ba:e6:1d:5c:77:39:24:8e:52:0b:dd:c7:36:15:0b:04:08:b9: 55:6d:e0:0a:55:02:39:0e:5b:24:3e:72:49:8b:d5:bb:59:28: 58:a9:1d:fa:33:25:2f:92:08:f6:13:82:e4:25:f7:11:5a:0a: 44:08:08:af:0a:6e:39:de:d8:82:de:2b:1f:34:b3:ee:0c:af: 39:ff:47:8b:98:27:35:57:c3:7f:13:03:ef:7c:87:46:44:73: 57:80:9e:f3:1d:5d:68:fd:93:70:ee:30:87:73:f6:54:24:c6: 65:02:d5:da:2e:b6:d6:ae:1a:66:ce:c2:9e:fc:88:2e:88:6e: a7:58:71:55:89:1b:b1:f5:7a:73:31:d4:f2:ea:ef:35:e5:fe: d6:51:20:63:6c:42:90:16:f4:1c:2b:3f:ce:14:0c:f8:0d:c4: df:b0:38:95:0f:0a:d5:d2:05:41:03:e6:44:f6:3e:51:7c:c9: 2c:3c:ef:aa:99:ba:d2:39:e0:48:b2:7c:12:d5:b1:44:6e:e6: 99:90:2e:c0:bc:ac:b3:3d:73:25:bb:56:9b:84:c4:b9:75:7e: 90:3d:fd:9a:b0:39:cb:7e:f0:f6:c1:59:c0:c6:7f:e2:4b:a6: 59:da:46:bc:d7:98:5c:ff:ac:5f:b8:53:3b:a6:16:06:a6:8f: 62:04:00:31:4b:04:1a:10:24:99:e8:3c:44:73:88:b5:1a:69: 3d:59:a9:bb:86:45:33:cf:52:af:52:f5:5e:08:d6:b2:d9:14: e0:7f:05:5b:10:76:72:6e:05:4d:28:c9:0d:71:55:e8:80:f6: e8:a2:8d:88:63:d0:90:4c:e6:0f:e9:3f:7b:6c:14:2b:61:f2: 49:2b:45:d9:12:3b:dd:bd:1b:01:95:0b:02:a6:84:db:c3:a5: 40:20:f1:c4:3b:24:6b:b1:e5:25:76:a9:e7:04:4c:75:3f:a7: f8:58:8c:bd:aa:f7:5d:f4:8b:5d:31:0c:5e:51:9a:2c:78:67: d2:98:4e:7a:e5:85:e3:06:d8:5c:14:94:18:2f:75:4c:ab:80: 04:a5:8d:14:3a:7a:d6:bb:10:a3:bf:75:82:e4:17:13:51:3c: d3:1c:6a:01:c5:13:1a:8d:ce:cc:0d:35:29:7c:2d:6d:6e:6d: af:8b:4d:97:ef:75:3f:a4:12:2c:e4:34:d8:c2:cf:39:0f:4e: 9c:19:65:2e:5b:ac:d6:51:9f:30:32:9a:c7:ef:13:76:c2:4d: ee:7c:7a:52:c9:b3:a5:c2:90:52:44:af:97:0b:62:87:34:48: ca:aa:14:c5:8c:41:17:c8 -----BEGIN CERTIFICATE----- MIIGUDCCBDigAwIBAgIKdQunvQAAAAAJjTANBgkqhkiG9w0BAQsFADCB0TEmMCQG CSqGSIb3DQEJARYXY29udGFjdG9AcHJvY2VydC5uZXQudmUxDzANBgNVBAcTBkNo YWNhbzEQMA4GA1UECBMHTWlyYW5kYTEqMCgGA1UECxMhUHJvdmVlZG9yIGRlIENl cnRpZmljYWRvcyBQUk9DRVJUMTYwNAYDVQQKEy1TaXN0ZW1hIE5hY2lvbmFsIGRl IENlcnRpZmljYWNpb24gRWxlY3Ryb25pY2ExCzAJBgNVBAYTAlZFMRMwEQYDVQQD EwpQU0NQcm9jZXJ0MB4XDTE2MTIxMjIwMTI1OFoXDTE3MTIxMjIwMTI1OFowPDEL MAkGA1UEBhMCVkUxEDAOBgNVBAoTB1BST0NFUlQxGzAZBgNVBAMTEnVyYS5wcm9j ZXJ0Lm5ldC52ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnRwohvH9pgpg VpHgbwE2dpOQqtI0OHJMSr2G1A3ORjTZLiEMtJP8W84EYLWhY0YiMEM3A+6TGWku CNKeE4cpVE7+3a3cxo4brKjfb+bpbYjWe6SOGq+C5PW0MCnamcRvoOTOOSgkrt2L RD1zOoUJhSKNleK8742gqT8nQ6W+uYsCAwEAAaOCAkAwggI8MBMGA1UdJQQMMAoG CCsGAQUFBwMJMA8GCSsGAQUFBzABBQQCBQAwHQYDVR0OBBYEFEyeGTJB0zlp8KrI WJRO04KWsXGMMA4GA1UdDwEB/wQEAwIHgDCCAVAGA1UdIwSCAUcwggFDgBRBDxk4 qpl/Qguk1yeYVKIXTC1RVKGCASakggEiMIIBHjE+MDwGA1UEAxM1QXV0b3JpZGFk IGRlIENlcnRpZmljYWNpb24gUmFpeiBkZWwgRXN0YWRvIFZlbmV6b2xhbm8xCzAJ BgNVBAYTAlZFMRAwDgYDVQQHEwdDYXJhY2FzMRkwFwYDVQQIExBEaXN0cml0byBD YXBpdGFsMTYwNAYDVQQKEy1TaXN0ZW1hIE5hY2lvbmFsIGRlIENlcnRpZmljYWNp b24gRWxlY3Ryb25pY2ExQzBBBgNVBAsTOlN1cGVyaW50ZW5kZW5jaWEgZGUgU2Vy dmljaW9zIGRlIENlcnRpZmljYWNpb24gRWxlY3Ryb25pY2ExJTAjBgkqhkiG9w0B CQEWFmFjcmFpekBzdXNjZXJ0ZS5nb2IudmWCAQswCQYDVR0TBAIwADBDBgNVHSAE PDA6MDgGBmCGXgsCATAuMCwGCCsGAQUFBwIBFiBodHRwOi8vd3d3LnByb2NlcnQu bmV0LnZlL2RwYy1wYzBBBgNVHRIEOjA4gg5wcm9jZXJ0Lm5ldC52ZaANBgVghl4C AaAEDAIwMqAXBgVghl4CAqAODAxKLTMxNjM1MzczLTcwDQYJKoZIhvcNAQELBQAD ggIBADgFKDHzOAgusDRnk9OF5Y1GobrmHVx3OSSOUgvdxzYVCwQIuVVt4ApVAjkO WyQ+ckmL1btZKFipHfozJS+SCPYTguQl9xFaCkQICK8Kbjne2ILeKx80s+4Mrzn/ R4uYJzVXw38TA+98h0ZEc1eAnvMdXWj9k3DuMIdz9lQkxmUC1douttauGmbOwp78 iC6IbqdYcVWJG7H1enMx1PLq7zXl/tZRIGNsQpAW9BwrP84UDPgNxN+wOJUPCtXS BUED5kT2PlF8ySw876qZutI54EiyfBLVsURu5pmQLsC8rLM9cyW7VpuExLl1fpA9 /ZqwOct+8PbBWcDGf+JLplnaRrzXmFz/rF+4UzumFgamj2IEADFLBBoQJJnoPERz iLUaaT1ZqbuGRTPPUq9S9V4I1rLZFOB/BVsQdnJuBU0oyQ1xVeiA9uiijYhj0JBM 5g/pP3tsFCth8kkrRdkSO929GwGVCwKmhNvDpUAg8cQ7JGux5SV2qecETHU/p/hY jL2q9130i10xDF5Rmix4Z9KYTnrlheMG2FwUlBgvdUyrgASljRQ6eta7EKO/dYLk FxNRPNMcagHFExqNzswNNSl8LW1uba+LTZfvdT+kEizkNNjCzzkPTpwZZS5brNZR nzAymsfvE3bCTe58elLJs6XCkFJEr5cLYoc0SMqqFMWMQRfI -----END CERTIFICATE----- prueba.pem: good This Update: Aug 22 15:36:32 2017 GMT Next Update: Aug 23 15:36:32 2017 GMT ------------------------------------------------------------------------------------------------------- certificate revoked C:\OpenSSL-Win32\bin>openssl.exe ocsp -issuer PSCProcert.pem -cert prueba.pem -url http://ura.procert.net.ve/ocsp -text -noverify -no_nonce OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: E6577AE996DAD0109B34FFCF7EC433EA16C891EA Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 1F9E3DD8000000000CD7 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 4C9E193241D33969F0AAC858944ED38296B1718C Produced At: Aug 23 16:07:41 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: E6577AE996DAD0109B34FFCF7EC433EA16C891EA Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 1F9E3DD8000000000CD7 Cert Status: revoked Revocation Time: Aug 23 13:26:27 2017 GMT Revocation Reason: superseded (0x4) This Update: Aug 23 15:36:34 2017 GMT Next Update: Aug 24 15:36:34 2017 GMT Response Single Extensions: 1.3.6.1.4.1.311.21.4: 170824153634Z . Signature Algorithm: sha1WithRSAEncryption 16:8a:dc:76:0e:3c:05:b5:2e:3a:cb:c9:f0:22:02:08:0e:0e: 76:49:fa:5f:1b:f0:7b:77:94:0f:3a:df:5a:e5:97:60:f3:b6: 50:12:95:c8:48:26:80:e8:1d:5a:c9:f1:19:0c:4c:07:73:3f: ce:4e:ec:30:e6:d9:1d:8e:5b:26:68:a5:ce:c9:d7:4d:2b:f8: 27:3b:8c:66:80:93:76:63:b9:8b:04:43:27:87:03:67:b1:05: 31:25:62:7b:c0:8d:8f:3f:eb:19:e8:9e:09:51:40:0b:71:ad: 9e:45:4d:99:48:d1:dc:fc:2b:d1:f4:e0:d5:86:df:2e:4c:35: 4c:3d Certificate: Data: Version: 3 (0x2) Serial Number: 75:0b:a7:bd:00:00:00:00:09:8d Signature Algorithm: sha256WithRSAEncryption Issuer: emailAddress=contacto@procert.net.ve, L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert Validity Not Before: Dec 12 20:12:58 2016 GMT Not After : Dec 12 20:12:58 2017 GMT Subject: C=VE, O=PROCERT, CN=ura.procert.net.ve Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9d:1c:28:86:f1:fd:a6:0a:60:56:91:e0:6f:01: 36:76:93:90:aa:d2:34:38:72:4c:4a:bd:86:d4:0d: ce:46:34:d9:2e:21:0c:b4:93:fc:5b:ce:04:60:b5: a1:63:46:22:30:43:37:03:ee:93:19:69:2e:08:d2: 9e:13:87:29:54:4e:fe:dd:ad:dc:c6:8e:1b:ac:a8: df:6f:e6:e9:6d:88:d6:7b:a4:8e:1a:af:82:e4:f5: b4:30:29:da:99:c4:6f:a0:e4:ce:39:28:24:ae:dd: 8b:44:3d:73:3a:85:09:85:22:8d:95:e2:bc:ef:8d: a0:a9:3f:27:43:a5:be:b9:8b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: OCSP Signing OCSP No Check: X509v3 Subject Key Identifier: 4C:9E:19:32:41:D3:39:69:F0:AA:C8:58:94:4E:D3:82:96:B1:71:8C X509v3 Key Usage: critical Digital Signature X509v3 Authority Key Identifier: keyid:41:0F:19:38:AA:99:7F:42:0B:A4:D7:27:98:54:A2:17:4C:2D:51:54 DirName:/CN=Autoridad de Certificacion Raiz del Estado Venezolano/C=VE/L=Caracas/ST=Distrito Capital/O=Sistema Nacional de Certificacion Electronica/OU=Superintendencia de Servicios de Certificacion Electronica/emailAddress=acraiz@suscerte.gob.ve serial:0B X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 2.16.862.11.2.1 CPS: http://www.procert.net.ve/dpc-pc X509v3 Issuer Alternative Name: DNS:procert.net.ve, othername:<unsupported>, othername:<unsupported> Signature Algorithm: sha256WithRSAEncryption 38:05:28:31:f3:38:08:2e:b0:34:67:93:d3:85:e5:8d:46:a1: ba:e6:1d:5c:77:39:24:8e:52:0b:dd:c7:36:15:0b:04:08:b9: 55:6d:e0:0a:55:02:39:0e:5b:24:3e:72:49:8b:d5:bb:59:28: 58:a9:1d:fa:33:25:2f:92:08:f6:13:82:e4:25:f7:11:5a:0a: 44:08:08:af:0a:6e:39:de:d8:82:de:2b:1f:34:b3:ee:0c:af: 39:ff:47:8b:98:27:35:57:c3:7f:13:03:ef:7c:87:46:44:73: 57:80:9e:f3:1d:5d:68:fd:93:70:ee:30:87:73:f6:54:24:c6: 65:02:d5:da:2e:b6:d6:ae:1a:66:ce:c2:9e:fc:88:2e:88:6e: a7:58:71:55:89:1b:b1:f5:7a:73:31:d4:f2:ea:ef:35:e5:fe: d6:51:20:63:6c:42:90:16:f4:1c:2b:3f:ce:14:0c:f8:0d:c4: df:b0:38:95:0f:0a:d5:d2:05:41:03:e6:44:f6:3e:51:7c:c9: 2c:3c:ef:aa:99:ba:d2:39:e0:48:b2:7c:12:d5:b1:44:6e:e6: 99:90:2e:c0:bc:ac:b3:3d:73:25:bb:56:9b:84:c4:b9:75:7e: 90:3d:fd:9a:b0:39:cb:7e:f0:f6:c1:59:c0:c6:7f:e2:4b:a6: 59:da:46:bc:d7:98:5c:ff:ac:5f:b8:53:3b:a6:16:06:a6:8f: 62:04:00:31:4b:04:1a:10:24:99:e8:3c:44:73:88:b5:1a:69: 3d:59:a9:bb:86:45:33:cf:52:af:52:f5:5e:08:d6:b2:d9:14: e0:7f:05:5b:10:76:72:6e:05:4d:28:c9:0d:71:55:e8:80:f6: e8:a2:8d:88:63:d0:90:4c:e6:0f:e9:3f:7b:6c:14:2b:61:f2: 49:2b:45:d9:12:3b:dd:bd:1b:01:95:0b:02:a6:84:db:c3:a5: 40:20:f1:c4:3b:24:6b:b1:e5:25:76:a9:e7:04:4c:75:3f:a7: f8:58:8c:bd:aa:f7:5d:f4:8b:5d:31:0c:5e:51:9a:2c:78:67: d2:98:4e:7a:e5:85:e3:06:d8:5c:14:94:18:2f:75:4c:ab:80: 04:a5:8d:14:3a:7a:d6:bb:10:a3:bf:75:82:e4:17:13:51:3c: d3:1c:6a:01:c5:13:1a:8d:ce:cc:0d:35:29:7c:2d:6d:6e:6d: af:8b:4d:97:ef:75:3f:a4:12:2c:e4:34:d8:c2:cf:39:0f:4e: 9c:19:65:2e:5b:ac:d6:51:9f:30:32:9a:c7:ef:13:76:c2:4d: ee:7c:7a:52:c9:b3:a5:c2:90:52:44:af:97:0b:62:87:34:48: ca:aa:14:c5:8c:41:17:c8 -----BEGIN CERTIFICATE----- MIIGUDCCBDigAwIBAgIKdQunvQAAAAAJjTANBgkqhkiG9w0BAQsFADCB0TEmMCQG CSqGSIb3DQEJARYXY29udGFjdG9AcHJvY2VydC5uZXQudmUxDzANBgNVBAcTBkNo YWNhbzEQMA4GA1UECBMHTWlyYW5kYTEqMCgGA1UECxMhUHJvdmVlZG9yIGRlIENl cnRpZmljYWRvcyBQUk9DRVJUMTYwNAYDVQQKEy1TaXN0ZW1hIE5hY2lvbmFsIGRl IENlcnRpZmljYWNpb24gRWxlY3Ryb25pY2ExCzAJBgNVBAYTAlZFMRMwEQYDVQQD EwpQU0NQcm9jZXJ0MB4XDTE2MTIxMjIwMTI1OFoXDTE3MTIxMjIwMTI1OFowPDEL MAkGA1UEBhMCVkUxEDAOBgNVBAoTB1BST0NFUlQxGzAZBgNVBAMTEnVyYS5wcm9j ZXJ0Lm5ldC52ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnRwohvH9pgpg VpHgbwE2dpOQqtI0OHJMSr2G1A3ORjTZLiEMtJP8W84EYLWhY0YiMEM3A+6TGWku CNKeE4cpVE7+3a3cxo4brKjfb+bpbYjWe6SOGq+C5PW0MCnamcRvoOTOOSgkrt2L RD1zOoUJhSKNleK8742gqT8nQ6W+uYsCAwEAAaOCAkAwggI8MBMGA1UdJQQMMAoG CCsGAQUFBwMJMA8GCSsGAQUFBzABBQQCBQAwHQYDVR0OBBYEFEyeGTJB0zlp8KrI WJRO04KWsXGMMA4GA1UdDwEB/wQEAwIHgDCCAVAGA1UdIwSCAUcwggFDgBRBDxk4 qpl/Qguk1yeYVKIXTC1RVKGCASakggEiMIIBHjE+MDwGA1UEAxM1QXV0b3JpZGFk IGRlIENlcnRpZmljYWNpb24gUmFpeiBkZWwgRXN0YWRvIFZlbmV6b2xhbm8xCzAJ BgNVBAYTAlZFMRAwDgYDVQQHEwdDYXJhY2FzMRkwFwYDVQQIExBEaXN0cml0byBD YXBpdGFsMTYwNAYDVQQKEy1TaXN0ZW1hIE5hY2lvbmFsIGRlIENlcnRpZmljYWNp b24gRWxlY3Ryb25pY2ExQzBBBgNVBAsTOlN1cGVyaW50ZW5kZW5jaWEgZGUgU2Vy dmljaW9zIGRlIENlcnRpZmljYWNpb24gRWxlY3Ryb25pY2ExJTAjBgkqhkiG9w0B CQEWFmFjcmFpekBzdXNjZXJ0ZS5nb2IudmWCAQswCQYDVR0TBAIwADBDBgNVHSAE PDA6MDgGBmCGXgsCATAuMCwGCCsGAQUFBwIBFiBodHRwOi8vd3d3LnByb2NlcnQu bmV0LnZlL2RwYy1wYzBBBgNVHRIEOjA4gg5wcm9jZXJ0Lm5ldC52ZaANBgVghl4C AaAEDAIwMqAXBgVghl4CAqAODAxKLTMxNjM1MzczLTcwDQYJKoZIhvcNAQELBQAD ggIBADgFKDHzOAgusDRnk9OF5Y1GobrmHVx3OSSOUgvdxzYVCwQIuVVt4ApVAjkO WyQ+ckmL1btZKFipHfozJS+SCPYTguQl9xFaCkQICK8Kbjne2ILeKx80s+4Mrzn/ R4uYJzVXw38TA+98h0ZEc1eAnvMdXWj9k3DuMIdz9lQkxmUC1douttauGmbOwp78 iC6IbqdYcVWJG7H1enMx1PLq7zXl/tZRIGNsQpAW9BwrP84UDPgNxN+wOJUPCtXS BUED5kT2PlF8ySw876qZutI54EiyfBLVsURu5pmQLsC8rLM9cyW7VpuExLl1fpA9 /ZqwOct+8PbBWcDGf+JLplnaRrzXmFz/rF+4UzumFgamj2IEADFLBBoQJJnoPERz iLUaaT1ZqbuGRTPPUq9S9V4I1rLZFOB/BVsQdnJuBU0oyQ1xVeiA9uiijYhj0JBM 5g/pP3tsFCth8kkrRdkSO929GwGVCwKmhNvDpUAg8cQ7JGux5SV2qecETHU/p/hY jL2q9130i10xDF5Rmix4Z9KYTnrlheMG2FwUlBgvdUyrgASljRQ6eta7EKO/dYLk FxNRPNMcagHFExqNzswNNSl8LW1uba+LTZfvdT+kEizkNNjCzzkPTpwZZS5brNZR nzAymsfvE3bCTe58elLJs6XCkFJEr5cLYoc0SMqqFMWMQRfI -----END CERTIFICATE----- prueba.pem: revoked This Update: Aug 23 15:36:34 2017 GMT Next Update: Aug 24 15:36:34 2017 GMT
|
||
Comment 10•7 years ago
|
||
Operador: the issue raised is that your OCSP responder returns "good" for non-existent certificates, not for revoked certificates. (That would be an even bigger problem!) Can you address that concern? Gerv
|
||
Comment 11•7 years ago
|
||
I recommend, please supply command or method, which are used for testing, to give a better response thanks
|
|
||
Comment 12•7 years ago
|
||
comment #1 Action Taken = Certificate revoked comment #6 Action Taken = The test was performed with a certificate not issued by the CA Procert Test responder ocsp Certificate not issued by CA PROCERT C:\OpenSSL-Win32\bin>openssl.exe ocsp -issuer PSCProcert.pem -cert ssl.pem -url http://ura.procert.net.ve/ocsp -text -noverify -no_nonce OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: B1B439179016B797795011F160B9D4A23CDBEDEE Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 0100212588B0FA59A777EF057B6627DF Responder Error: unauthorized (6) comment #4 Action Taken = Is being corrected comment #5 Action Taken = Working on it At the same time, steps are being taken to avoid these drawbacks
|
||
Comment 13•7 years ago
|
||
Operador, The example certificate you provided to demonstrate OCSP responses has a 1024-bit RSA keys, which is a violation of the BRs: - https://crt.sh/?id=197068798&opt=cablint Can you please provide the full post-mortem details that Kathleen described for this issue -- in particular I'd say that it's imperative that you scan your database of certificates to see if there are more instances of issuance of certificates with disallowed weak keys.
|
|
||
Comment 14•7 years ago
|
||
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #13) > Operador, > > The example certificate you provided to demonstrate OCSP responses has a > 1024-bit RSA keys, which is a violation of the BRs: > - https://crt.sh/?id=197068798&opt=cablint > > Can you please provide the full post-mortem details that Kathleen described > for this issue -- in particular I'd say that it's imperative that you scan > your database of certificates to see if there are more instances of issuance > of certificates with disallowed weak keys. The certificate that is referenced is expired, is it 2012, the company policy is maintained in the database as reference or historical data, PSC PROCERT does not issue certificates with 1024 key since 2013 Comment 3 We are communicating with the companies for the referral of the affected certificates, and then issue the certificates again, modifying the details that are mentioned, in a 48 hours that certificates are revoked and issued
|
|
||
Comment 15•7 years ago
|
||
The certificate I linked is not expired, it expires in December of 2017.
|
|
||
Comment 16•7 years ago
|
||
Comment 14 edit PSC PROCERT does not issue certificates with 1024 key since 2010
|
|
||
Comment 17•7 years ago
|
||
The certificate is "Google Internet Authority G2" was used to test the response of the ocsp, responding to comment # 6, the certificate is not from the CA PSC Procert -----BEGIN CERTIFICATE----- MIIEKDCCAxCgAwIBAgIQAQAhJYiw+lmnd+8Fe2Yn3zANBgkqhkiG9w0BAQsFADBC MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS R2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE3MDUyMjExMzIzN1oXDTE4MTIzMTIzNTk1 OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQCcKgR3XNhQkToGo4Lg2FBIvIk/8RlwGohGfuCPxfGJziHu Wv5hDbcyRImgdAtTT1WkzoJile7rWV/G4QWAEsRelD+8W0g49FP3JOb7kekVxM/0 Uw30SvyfVN59vqBrb4fA0FAfKDADQNoIc1Fsf/86PKc3Bo69SxEE630k3ub5/DFx +5TVYPMuSq9C0svqxGoassxT3RVLix/IGWEfzZ2oPmMrhDVpZYTIGcVGIvhTlb7j gEoQxirsupcgEcc5mRAEoPBhepUljE5SdeK27QjKFPzOImqzTs9GA5eXA37Asd57 r0Uzz7o+cbfe9CUlwg01iZ2d+w4ReYkeN8WvjnJpAgMBAAGjggERMIIBDTAfBgNV HSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1 dvWBtrtiGrpagS8wDgYDVR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggr BgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAw NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9i YWwuY3JsMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwHQYDVR0l BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDKSeWs 12Rkd1u+cfrP9B4jx5ppY1Rf60zWGSgjZGaOHMeHgGRfBIsmr5jfCnC8vBk97nsz qX+99AXUcLsFJnnqmseYuQcZZTTMPOk/xQH6bwx+23pwXEz+LQDwyr4tjrSogPsB E4jLnD/lu3fKOmc2887VJwJyQ6C9bgLxRwVxPgFZ6RGeGvOED4Cmong1L7bHon8X fOGLVq7uZ4hRJzBgpWJSwzfVO+qFKgE4h6LPcK2kesnE58rF2rwjMvL+GMJ74N87 L9TQEOaWTPtEtyFkDbkAlDASJodYmDkFOA/MgkgMCkdm7r+0X8T/cKjhf4t5K7hl MqO5tzHpCvX2HzLc -----END CERTIFICATE----- PSC PROCERT does not issue certificates with 1024 keys since 2010
|
||
Comment 18•7 years ago
|
||
(In reply to Operador from comment #12) > comment #1 Action Taken = Certificate revoked > comment #6 Action Taken = The test was performed with a certificate not > issued by the CA Procert > Test responder ocsp > > Certificate not issued by CA PROCERT > > C:\OpenSSL-Win32\bin>openssl.exe ocsp -issuer PSCProcert.pem -cert ssl.pem > -url http://ura.procert.net.ve/ocsp -text -noverify -no_nonce > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: B1B439179016B797795011F160B9D4A23CDBEDEE > Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 > Serial Number: 0100212588B0FA59A777EF057B6627DF > Responder Error: unauthorized (6) > > comment #4 Action Taken = Is being corrected > > comment #5 Action Taken = Working on it > > At the same time, steps are being taken to avoid these drawbacks This does not address the issue in comment 6. Observe: openssl ocsp -issuer PSCProcert.pem -serial 1234567890123456789012345678901234567890 -url http://ura.procert.net.ve/ocsp -text -noverify -no_nonce OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: E6577AE996DAD0109B34FFCF7EC433EA16C891EA Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 03A0C92075C0DBF3B8ACBC5F96CE3F0AD2 OCSP Response Data: ...snip... 1234567890123456789012345678901234567890: good This Update: Aug 23 15:36:34 2017 GMT Next Update: Aug 24 15:36:34 2017 GMT Any serial number provided that is not revoked is returning a good response. Baseline requirements explicitly forbids this behavior in section 4.9.10 (and it has been this way for over 4 years). (In reply to alejandrovolcan from comment #16) > Comment 14 edit PSC PROCERT does not issue certificates with 1024 key since > 2010 This statement is directly contradicted by the certificate Alex has already linked (https://crt.sh/?id=197068798&opt=cablint).
|
|
||
Comment 19•7 years ago
|
||
PSC Procert has not issued a 1024 certificate since 2010 for end users, We keep working properly and responding to each of the comments provided in the forum. In-depth analysis of this situation is taking place simultaneously. Communicate with each of the customers of the affected certificates. For its prompt revocation and acquisition of a new certificate, in a way that does not cause significant inconvenience to end users
|
|
||
Comment 20•7 years ago
|
||
(In reply to Operador from comment #19) > PSC Procert has not issued a 1024 certificate since 2010 for end users, Have you issued a 1024-bit certificate for any party, including PSC Procert? That is, in the totality of certificates issued since 2010, do any contain a subjectPublicKeyInfo which contains a key size less than 2048 bits? If so, then please list them, consistent with > 3) Complete list of certificates that your CA finds with each of the listed issues during the remediation process. The recommended way to handle this is to ensure each certificate is logged to CT and then attach a CSV file/spreadsheet of the fingerprints or crt.sh IDs, with one list per distinct problem.
|
|
||
Comment 21•7 years ago
|
||
Good afternoon Comment 20 We have reviewed the comments, actually when the query is done using the serial parameter, and query returns a response "good", we are reviewing this to prevent it from happening, but this type of query is not common since the standard and instructions from other authorities indicates that it must give the certificate for validating, this with the -cert parameter, an example of this we can see in the following query examples ****** Activate Certificate ****** openssl ocsp -issuer procert.cer -cert activo.cer -url http://ura.procert.net.ve/ocsp -noverify -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: E6577AE996DAD0109B34FFCF7EC433EA16C891EA Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 1ADB2884000000000888 Request Extensions: OCSP Nonce: 0410B5210C291E6933A93488C06C1A503B63 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 4164657A16535457E7C33ABA3F779F3CD0BEEA27 Produced At: Aug 24 22:30:59 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: E6577AE996DAD0109B34FFCF7EC433EA16C891EA Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 1ADB2884000000000888 Cert Status: good This Update: Aug 24 15:36:36 2017 GMT Next Update: Aug 25 15:36:36 2017 GMT Response Single Extensions: 1.3.6.1.4.1.311.21.4: 170825153636Z . Response Extensions: OCSP Nonce: 0410B5210C291E6933A93488C06C1A503B63 Signature Algorithm: sha1WithRSAEncryption 8d:3a:43:a7:65:6f:8b:b7:55:e0:d8:8b:42:3d:e2:6e:df:8b: 5e:7f:06:0c:78:60:f5:e9:75:55:82:95:88:ca:f8:a7:f5:13: e0:ca:fb:33:88:a3:79:0d:91:cf:5e:b3:6d:b8:5c:b5:3f:fa: b3:e8:dc:a3:8b:8d:6b:41:ba:33:ff:fd:5c:ed:00:b4:23:8d: 45:dc:53:51:46:d7:dc:96:85:89:1a:b6:24:10:e3:ed:25:22: 51:a9:e2:08:bb:85:39:b5:2a:5c:a4:04:ba:81:4a:8c:22:07: cd:31:ae:d2:2e:d0:b4:d5:71:6a:c7:9f:ee:5d:fd:61:18:57: 39:4d:9c:cc:ff:75:b7:eb:93:31:da:ce:59:4a:ad:e9:f8:a2: 0d:76:7c:a4:be:fa:4f:60:0e:cd:7a:1d:0e:9b:25:a9:50:97: d9:03:ee:82:19:46:9a:e5:36:57:7f:0c:bd:7f:4d:12:91:c4: 3f:03:57:b8:90:db:7d:b3:09:2f:fa:f3:64:3c:6b:c0:64:15: f9:3a:c8:5f:07:dd:60:26:a1:c7:19:18:1c:10:23:f7:ea:79: 57:1d:a4:85:f9:85:37:62:bd:65:a9:2f:84:ea:79:6c:25:85: ac:82:eb:99:6d:9c:84:07:8f:5a:20:95:fb:12:83:0f:93:db: 76:1d:be:2f Certificate: Data: Version: 3 (0x2) Serial Number: 14:76:cd:06:00:00:00:00:0c:e4 Signature Algorithm: sha256WithRSAEncryption Issuer: emailAddress=contacto@procert.net.ve, L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert Validity Not Before: Aug 24 11:46:15 2017 GMT Not After : Aug 24 11:46:15 2018 GMT Subject: C=VE, O=PROCERT, CN=ura.procert.net.ve Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:9f:27:49:96:7c:23:06:82:c7:55:93:2a:d3: ed:4d:18:31:7f:99:e4:59:3c:6e:41:65:58:b6:5d: a0:82:d5:06:cf:38:ed:e5:59:fa:2b:ef:e0:e5:de: 66:d3:82:d9:6c:a5:ea:c5:7f:5e:58:1a:72:2e:ad: fc:53:ff:ce:e2:03:51:e9:f0:59:8f:63:01:c9:a2: 74:69:20:14:5e:22:f1:65:1a:ef:73:0f:f2:9a:ba: 84:08:3a:09:28:40:a5:97:77:71:82:30:50:06:12: 56:90:a1:7a:b8:68:cc:5e:61:7a:04:5d:bb:cf:af: 61:6a:80:a6:d8:4e:a5:02:e9:12:6e:1b:1c:f2:76: 04:a6:61:a2:c1:39:fc:cb:62:9a:2d:53:64:d5:96: 3e:9e:3f:fd:de:e4:ca:92:f6:b6:fa:e0:28:eb:ea: 69:ab:70:bb:9e:ab:12:08:f2:97:07:8c:58:72:15: 37:72:dd:82:fc:32:e5:24:da:85:b4:a2:3f:a6:57: 94:b8:8f:09:e5:b1:e5:59:e7:d5:20:5a:35:ae:85: a0:ee:5a:ea:b1:d6:3e:28:7e:99:b2:02:34:1a:75: de:34:6c:1e:54:73:02:71:bc:cf:30:18:f1:85:f9: eb:6c:2b:6f:4a:67:65:73:34:65:fe:49:3d:ca:a1: d7:5b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: OCSP Signing OCSP No Check: X509v3 Subject Key Identifier: 41:64:65:7A:16:53:54:57:E7:C3:3A:BA:3F:77:9F:3C:D0:BE:EA:27 X509v3 Key Usage: critical Digital Signature X509v3 Authority Key Identifier: keyid:41:0F:19:38:AA:99:7F:42:0B:A4:D7:27:98:54:A2:17:4C:2D:51:54 DirName:/CN=Autoridad de Certificacion Raiz del Estado Venezolano/C=VE/L=Caracas/ST=Distrito Capital/O=Sistema Nacional de Certificacion Electronica/OU=Superintendencia de Servicios de Certificacion Electronica/emailAddress=acraiz@suscerte.gob.ve serial:0B X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 2.16.862.11.2.1 CPS: http://www.procert.net.ve/dpc-pc X509v3 Issuer Alternative Name: DNS:procert.net.ve, othername:<unsupported>, othername:<unsupported> Signature Algorithm: sha256WithRSAEncryption 81:cf:41:12:82:f0:b2:38:6e:b1:93:6d:95:d3:89:d6:7c:67: 3e:4e:6c:ee:84:86:10:ea:c9:30:da:a4:70:56:bf:ba:ee:ed: db:ad:c4:7b:c2:50:ba:42:f1:8e:9e:10:d6:42:93:a4:e2:39: ee:72:c7:f7:be:b3:35:b6:9f:b5:73:48:e8:9a:4d:86:44:ab: ee:f0:bf:9b:92:e8:28:f1:5c:b6:e5:18:02:49:03:ea:45:36: 16:28:3c:cc:8f:c8:79:88:6b:02:4a:07:96:ca:6c:6d:b5:c6: 0c:1f:12:13:5f:65:61:0c:5d:ec:d9:53:81:02:aa:ca:ea:39: 20:7b:40:ad:4a:2e:22:38:d0:38:ff:1e:d6:15:11:b6:71:ef: c7:3b:46:47:f6:3b:17:91:f0:bf:9c:e5:82:e6:0c:7e:b8:4e: 93:62:72:57:6c:ee:ec:44:c2:a0:b5:22:cf:17:37:8f:05:7d: 6d:95:18:4c:4d:0e:35:4d:61:1e:d5:38:f8:81:a6:92:ca:87: 5f:90:76:76:b2:85:2c:9d:fe:16:e3:42:76:13:4a:ef:1f:f1: 1f:42:a5:be:04:24:cf:4a:7f:77:6a:b7:3e:a1:87:d1:65:20: 9e:48:43:01:65:28:5d:2a:95:ed:e3:0c:b6:c0:bd:63:23:b4: ea:fa:26:63:0b:35:f1:7f:2a:e9:f3:b6:b8:36:b8:30:02:6b: b0:96:c4:46:38:54:16:bd:da:d7:da:ba:d3:bb:ab:b8:fe:fb: cd:29:10:69:30:49:6b:5e:fe:20:cf:b5:51:b2:10:41:c5:af: 3a:af:e8:32:0a:e0:df:93:1f:d9:4d:aa:b8:3f:e8:b4:6b:48: e1:b5:dd:17:8e:36:12:11:f0:89:c7:6a:ef:a4:58:d4:92:9a: 84:9d:eb:1c:0f:0b:cc:05:c9:2d:17:67:91:7b:43:23:ac:ba: bb:c7:4c:70:52:0d:b4:61:5e:d9:72:02:6f:16:95:b3:c4:a2: 52:71:4a:36:db:56:bd:05:98:9d:5d:f5:e4:ac:ab:f7:0d:74: e9:e0:a5:51:e0:87:70:e8:75:2b:fb:27:bd:d7:60:69:d8:d8: 31:9a:86:e7:23:fa:76:b7:6c:32:83:a8:65:96:ff:04:e6:f9: 72:19:88:f4:81:98:8d:d8:48:44:16:f6:e8:54:0a:e3:d6:b3: 0d:55:cd:b9:6e:69:a6:f4:a2:06:5b:78:0f:fa:b4:8b:ee:79: 4c:a9:de:21:25:65:71:e8:3c:4a:d5:07:3a:4b:57:ca:e8:ad: 39:a0:af:0c:dd:c6:e0:f3:07:02:bf:c1:74:69:4e:ce:c4:30: 4d:32:1b:59:ac:af:03:a0 -----BEGIN CERTIFICATE----- MIIG1DCCBLygAwIBAgIKFHbNBgAAAAAM5DANBgkqhkiG9w0BAQsFADCB0TEmMCQG CSqGSIb3DQEJARYXY29udGFjdG9AcHJvY2VydC5uZXQudmUxDzANBgNVBAcTBkNo YWNhbzEQMA4GA1UECBMHTWlyYW5kYTEqMCgGA1UECxMhUHJvdmVlZG9yIGRlIENl cnRpZmljYWRvcyBQUk9DRVJUMTYwNAYDVQQKEy1TaXN0ZW1hIE5hY2lvbmFsIGRl IENlcnRpZmljYWNpb24gRWxlY3Ryb25pY2ExCzAJBgNVBAYTAlZFMRMwEQYDVQQD EwpQU0NQcm9jZXJ0MB4XDTE3MDgyNDExNDYxNVoXDTE4MDgyNDExNDYxNVowPDEL MAkGA1UEBhMCVkUxEDAOBgNVBAoTB1BST0NFUlQxGzAZBgNVBAMTEnVyYS5wcm9j ZXJ0Lm5ldC52ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKyfJ0mW fCMGgsdVkyrT7U0YMX+Z5Fk8bkFlWLZdoILVBs847eVZ+ivv4OXeZtOC2Wyl6sV/ Xlgaci6t/FP/zuIDUenwWY9jAcmidGkgFF4i8WUa73MP8pq6hAg6CShApZd3cYIw UAYSVpCherhozF5hegRdu8+vYWqApthOpQLpEm4bHPJ2BKZhosE5/Mtimi1TZNWW Pp4//d7kypL2tvrgKOvqaatwu56rEgjylweMWHIVN3Ldgvwy5STahbSiP6ZXlLiP CeWx5Vnn1SBaNa6FoO5a6rHWPih+mbICNBp13jRsHlRzAnG8zzAY8YX562wrb0pn ZXM0Zf5JPcqh11sCAwEAAaOCAkAwggI8MBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8G CSsGAQUFBzABBQQCBQAwHQYDVR0OBBYEFEFkZXoWU1RX58M6uj93nzzQvuonMA4G A1UdDwEB/wQEAwIHgDCCAVAGA1UdIwSCAUcwggFDgBRBDxk4qpl/Qguk1yeYVKIX TC1RVKGCASakggEiMIIBHjE+MDwGA1UEAxM1QXV0b3JpZGFkIGRlIENlcnRpZmlj YWNpb24gUmFpeiBkZWwgRXN0YWRvIFZlbmV6b2xhbm8xCzAJBgNVBAYTAlZFMRAw DgYDVQQHEwdDYXJhY2FzMRkwFwYDVQQIExBEaXN0cml0byBDYXBpdGFsMTYwNAYD VQQKEy1TaXN0ZW1hIE5hY2lvbmFsIGRlIENlcnRpZmljYWNpb24gRWxlY3Ryb25p Y2ExQzBBBgNVBAsTOlN1cGVyaW50ZW5kZW5jaWEgZGUgU2VydmljaW9zIGRlIENl cnRpZmljYWNpb24gRWxlY3Ryb25pY2ExJTAjBgkqhkiG9w0BCQEWFmFjcmFpekBz dXNjZXJ0ZS5nb2IudmWCAQswCQYDVR0TBAIwADBDBgNVHSAEPDA6MDgGBmCGXgsC ATAuMCwGCCsGAQUFBwIBFiBodHRwOi8vd3d3LnByb2NlcnQubmV0LnZlL2RwYy1w YzBBBgNVHRIEOjA4gg5wcm9jZXJ0Lm5ldC52ZaANBgVghl4CAaAEDAIwMqAXBgVg hl4CAqAODAxKLTMxNjM1MzczLTcwDQYJKoZIhvcNAQELBQADggIBAIHPQRKC8LI4 brGTbZXTidZ8Zz5ObO6EhhDqyTDapHBWv7ru7dutxHvCULpC8Y6eENZCk6TiOe5y x/e+szW2n7VzSOiaTYZEq+7wv5uS6CjxXLblGAJJA+pFNhYoPMyPyHmIawJKB5bK bG21xgwfEhNfZWEMXezZU4ECqsrqOSB7QK1KLiI40Dj/HtYVEbZx78c7Rkf2OxeR 8L+c5YLmDH64TpNiclds7uxEwqC1Is8XN48FfW2VGExNDjVNYR7VOPiBppLKh1+Q dnayhSyd/hbjQnYTSu8f8R9Cpb4EJM9Kf3dqtz6hh9FlIJ5IQwFlKF0qle3jDLbA vWMjtOr6JmMLNfF/Kunztrg2uDACa7CWxEY4VBa92tfautO7q7j++80pEGkwSWte /iDPtVGyEEHFrzqv6DIK4N+TH9lNqrg/6LRrSOG13ReONhIR8InHau+kWNSSmoSd 6xwPC8wFyS0XZ5F7QyOsurvHTHBSDbRhXtlyAm8WlbPEolJxSjbbVr0FmJ1d9eSs q/cNdOngpVHgh3DodSv7J73XYGnY2DGahucj+na3bDKDqGWW/wTm+XIZiPSBmI3Y SEQW9uhUCuPWsw1Vzbluaab0ogZbeA/6tIvueUyp3iElZXHoPErVBzpLV8rorTmg rwzdxuDzBwK/wXRpTs7EME0yG1msrwOg -----END CERTIFICATE----- activo.cer: good This Update: Aug 24 15:36:36 2017 GMT Next Update: Aug 25 15:36:36 2017 GMT ****** Revoked Certifcate ****** openssl ocsp -issuer procert.cer -cert alere.cer -url http://ura.procert.net.ve/ocsp -noverify -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: E6577AE996DAD0109B34FFCF7EC433EA16C891EA Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 6910DED30000000008B2 Request Extensions: OCSP Nonce: 04104FF970951C7AB2541A9487C846161514 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: E2600CD2D324A934D6DDEF3EE56E9E201E06A4C6 Produced At: Aug 24 22:31:56 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: E6577AE996DAD0109B34FFCF7EC433EA16C891EA Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 6910DED30000000008B2 Cert Status: revoked Revocation Time: Oct 21 20:25:13 2016 GMT This Update: Aug 24 15:36:36 2017 GMT Next Update: Aug 25 15:36:36 2017 GMT Response Single Extensions: 1.3.6.1.4.1.311.21.4: 170825153636Z . Response Extensions: OCSP Nonce: 04104FF970951C7AB2541A9487C846161514 Signature Algorithm: sha1WithRSAEncryption 12:7a:51:7d:d1:a0:64:f1:77:8c:f6:20:33:04:66:26:4c:98: 6b:04:2c:9d:1f:fb:b9:8c:20:70:e9:3a:d4:75:8c:88:27:29: 11:d2:df:a4:b4:4e:fb:e8:d4:da:8f:f6:1f:85:5d:20:25:ed: 26:65:58:42:47:6f:30:fd:a4:a1:95:e4:62:9f:4c:5d:33:c6: 61:2b:4f:3c:f4:e0:c2:68:d2:03:ec:3a:3c:ce:15:8b:f3:61: a9:f6:43:36:f9:3b:39:d6:c6:16:c7:a7:d8:af:0c:c5:d1:e1: 52:39:54:63:56:f8:07:7d:6e:47:7a:72:70:d4:30:81:b3:44: f0:8e:71:7f:27:68:e7:a2:62:e5:05:ac:0f:a2:65:0b:d4:f8: 39:df:00:9a:eb:0b:23:cc:56:df:57:cf:ee:91:dd:0b:fb:82: 79:0d:e8:c6:92:f7:80:d5:ee:30:e4:1c:81:8d:f8:0f:bf:33: 14:e3:dc:67:49:c9:fb:c9:0e:ff:50:db:20:d6:4d:d7:52:88: 14:76:a7:68:69:40:24:9b:41:60:f0:7e:87:f4:41:84:e7:04: 3e:10:18:74:df:0a:b6:c9:d3:56:ec:46:bd:34:7e:47:ec:fa: a5:ba:5e:1f:08:a0:b0:a9:0e:c2:7f:da:d4:08:bf:29:a1:eb: b5:c1:6f:b8 Certificate: Data: Version: 3 (0x2) Serial Number: 14:78:da:fa:00:00:00:00:0c:e5 Signature Algorithm: sha256WithRSAEncryption Issuer: emailAddress=contacto@procert.net.ve, L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert Validity Not Before: Aug 24 11:48:29 2017 GMT Not After : Aug 24 11:48:29 2018 GMT Subject: C=VE, O=PROCERT, CN=ura.procert.net.ve Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ce:71:27:bd:59:38:3a:c7:94:4e:45:5c:67:a5: 1f:cb:53:fe:cb:e1:47:7b:9d:7e:43:ee:ba:be:c2: 86:a5:1d:61:e5:ae:f2:ae:27:8e:f1:46:08:96:be: 43:b5:cd:58:72:3c:47:27:31:3e:68:8d:30:2d:48: 5d:6b:bf:53:c7:98:d5:43:9e:83:7e:a9:83:49:86: 04:10:50:25:a8:26:ad:b5:f7:ad:f4:e5:91:35:2f: 29:a4:88:9c:35:3e:6b:31:9c:06:d8:08:45:e1:d1: 37:86:58:25:79:7a:d0:d1:a5:01:b1:ef:20:43:5d: 7f:1a:49:21:ff:9d:0c:82:79:d3:78:59:bb:fd:00: cf:b2:a1:f2:70:d2:1b:f0:26:6d:cc:42:52:0b:a0: 73:c8:bf:3a:b0:01:47:f2:cb:b0:f2:48:60:9a:ef: de:13:00:b9:5f:42:f3:92:13:7e:e2:50:ed:6e:40: 0f:7d:04:13:c2:0f:7e:29:74:2e:21:87:24:ec:66: fc:16:36:e6:9d:70:0a:5a:6a:74:84:c3:4a:c0:d1: e3:f4:33:ce:50:cd:8d:0e:b4:fc:0f:e9:c3:95:1e: 86:56:20:d4:c7:81:7b:75:13:0e:4b:09:cb:be:49: 40:37:18:8c:43:0f:ea:39:b4:b1:38:d8:53:eb:89: 8a:01 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: OCSP Signing OCSP No Check: X509v3 Subject Key Identifier: E2:60:0C:D2:D3:24:A9:34:D6:DD:EF:3E:E5:6E:9E:20:1E:06:A4:C6 X509v3 Key Usage: critical Digital Signature X509v3 Authority Key Identifier: keyid:41:0F:19:38:AA:99:7F:42:0B:A4:D7:27:98:54:A2:17:4C:2D:51:54 DirName:/CN=Autoridad de Certificacion Raiz del Estado Venezolano/C=VE/L=Caracas/ST=Distrito Capital/O=Sistema Nacional de Certificacion Electronica/OU=Superintendencia de Servicios de Certificacion Electronica/emailAddress=acraiz@suscerte.gob.ve serial:0B X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 2.16.862.11.2.1 CPS: http://www.procert.net.ve/dpc-pc X509v3 Issuer Alternative Name: DNS:procert.net.ve, othername:<unsupported>, othername:<unsupported> Signature Algorithm: sha256WithRSAEncryption 99:54:2e:3a:20:7b:51:26:b1:99:f8:81:3f:64:3a:94:1d:ca: d0:b2:37:85:7b:13:fd:9a:c1:b5:d7:bb:09:b5:a0:75:d1:0f: 82:9f:e2:93:fd:1e:eb:c0:84:9f:59:87:23:2a:f5:e1:0e:25: 69:c8:f3:a1:33:b4:6f:cb:4f:84:6a:6a:b5:56:d5:ba:d5:44: c7:3e:c3:a1:83:96:be:54:04:4f:b3:14:3d:0b:6e:69:4e:e4: 9a:09:02:c3:bd:4f:9d:5b:2c:3e:86:e7:7f:7c:f3:97:90:15: d0:7b:db:2b:da:95:a0:97:3c:20:18:92:cf:ad:e0:0d:1b:49: 70:33:fa:b5:ec:70:d8:e6:05:af:2c:aa:9e:d5:c2:a1:1c:d8: e7:f7:af:81:a6:63:67:ff:c1:7a:93:d4:6b:10:19:0d:77:5e: 6b:c1:e5:18:da:39:a7:e7:67:20:74:0a:b0:63:48:a3:ff:47: 22:1a:30:c4:42:93:b7:33:2a:eb:9d:16:9b:a5:42:ba:6d:20: c9:ad:e2:1c:2b:a2:41:94:6e:64:df:b5:78:59:77:f4:58:6d: b8:68:3c:51:fe:78:36:e2:df:c3:3c:f8:71:8f:bc:53:e1:db: 30:c0:22:d7:2c:a4:aa:0b:a7:4e:24:36:d2:f0:ec:a8:6d:d7: 45:e6:7b:15:42:25:03:c0:33:5d:60:2e:51:f8:f2:ad:fa:82: 84:40:33:88:45:ed:0f:46:78:f8:19:c8:93:d1:0b:55:61:6d: 91:63:e5:e8:b1:d0:7b:71:33:c6:ec:9b:fa:bb:e0:f6:f7:4b: b7:34:9e:24:73:b7:9b:27:c4:f7:a8:8c:c7:ff:ab:47:f5:4b: b9:94:87:15:00:29:54:12:2a:2b:b2:1f:34:26:c1:06:db:17: e0:b2:cb:5f:ca:ba:ab:f2:b4:76:d5:70:06:68:be:3b:95:b0: 9b:6c:9b:ab:f0:f5:31:a4:7b:39:02:b5:3c:15:58:7c:56:fb: b5:fd:03:b6:ff:6c:8f:ba:7b:57:bb:3a:c4:c7:dc:a6:f7:3e: c9:07:97:1b:f0:5d:a9:9b:61:80:1c:d0:da:a6:46:8b:c6:3d: 56:8b:ac:5e:39:60:8a:c5:a1:27:e6:5f:e1:5e:d6:0c:16:47: b2:f3:d3:14:4f:77:9f:50:5b:cb:08:89:06:75:18:af:be:3b: b2:03:6a:21:5c:0c:c7:07:0c:11:4a:88:c9:92:bb:4d:c7:9c: 50:30:2b:93:85:49:b4:c8:a0:bd:98:c3:8d:73:fa:6e:01:23: b8:4b:23:bc:2d:2f:2c:6f:30:3e:83:6c:5a:15:25:69:f4:66: e3:af:fd:cc:21:f5:18:2c -----BEGIN CERTIFICATE----- MIIG1DCCBLygAwIBAgIKFHja+gAAAAAM5TANBgkqhkiG9w0BAQsFADCB0TEmMCQG CSqGSIb3DQEJARYXY29udGFjdG9AcHJvY2VydC5uZXQudmUxDzANBgNVBAcTBkNo YWNhbzEQMA4GA1UECBMHTWlyYW5kYTEqMCgGA1UECxMhUHJvdmVlZG9yIGRlIENl cnRpZmljYWRvcyBQUk9DRVJUMTYwNAYDVQQKEy1TaXN0ZW1hIE5hY2lvbmFsIGRl IENlcnRpZmljYWNpb24gRWxlY3Ryb25pY2ExCzAJBgNVBAYTAlZFMRMwEQYDVQQD EwpQU0NQcm9jZXJ0MB4XDTE3MDgyNDExNDgyOVoXDTE4MDgyNDExNDgyOVowPDEL MAkGA1UEBhMCVkUxEDAOBgNVBAoTB1BST0NFUlQxGzAZBgNVBAMTEnVyYS5wcm9j ZXJ0Lm5ldC52ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5xJ71Z ODrHlE5FXGelH8tT/svhR3udfkPuur7ChqUdYeWu8q4njvFGCJa+Q7XNWHI8Rycx PmiNMC1IXWu/U8eY1UOeg36pg0mGBBBQJagmrbX3rfTlkTUvKaSInDU+azGcBtgI ReHRN4ZYJXl60NGlAbHvIENdfxpJIf+dDIJ503hZu/0Az7Kh8nDSG/AmbcxCUgug c8i/OrABR/LLsPJIYJrv3hMAuV9C85ITfuJQ7W5AD30EE8IPfil0LiGHJOxm/BY2 5p1wClpqdITDSsDR4/QzzlDNjQ60/A/pw5UehlYg1MeBe3UTDksJy75JQDcYjEMP 6jm0sTjYU+uJigECAwEAAaOCAkAwggI8MBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8G CSsGAQUFBzABBQQCBQAwHQYDVR0OBBYEFOJgDNLTJKk01t3vPuVuniAeBqTGMA4G A1UdDwEB/wQEAwIHgDCCAVAGA1UdIwSCAUcwggFDgBRBDxk4qpl/Qguk1yeYVKIX TC1RVKGCASakggEiMIIBHjE+MDwGA1UEAxM1QXV0b3JpZGFkIGRlIENlcnRpZmlj YWNpb24gUmFpeiBkZWwgRXN0YWRvIFZlbmV6b2xhbm8xCzAJBgNVBAYTAlZFMRAw DgYDVQQHEwdDYXJhY2FzMRkwFwYDVQQIExBEaXN0cml0byBDYXBpdGFsMTYwNAYD VQQKEy1TaXN0ZW1hIE5hY2lvbmFsIGRlIENlcnRpZmljYWNpb24gRWxlY3Ryb25p Y2ExQzBBBgNVBAsTOlN1cGVyaW50ZW5kZW5jaWEgZGUgU2VydmljaW9zIGRlIENl cnRpZmljYWNpb24gRWxlY3Ryb25pY2ExJTAjBgkqhkiG9w0BCQEWFmFjcmFpekBz dXNjZXJ0ZS5nb2IudmWCAQswCQYDVR0TBAIwADBDBgNVHSAEPDA6MDgGBmCGXgsC ATAuMCwGCCsGAQUFBwIBFiBodHRwOi8vd3d3LnByb2NlcnQubmV0LnZlL2RwYy1w YzBBBgNVHRIEOjA4gg5wcm9jZXJ0Lm5ldC52ZaANBgVghl4CAaAEDAIwMqAXBgVg hl4CAqAODAxKLTMxNjM1MzczLTcwDQYJKoZIhvcNAQELBQADggIBAJlULjoge1Em sZn4gT9kOpQdytCyN4V7E/2awbXXuwm1oHXRD4Kf4pP9HuvAhJ9ZhyMq9eEOJWnI 86EztG/LT4RqarVW1brVRMc+w6GDlr5UBE+zFD0LbmlO5JoJAsO9T51bLD6G5398 85eQFdB72yvalaCXPCAYks+t4A0bSXAz+rXscNjmBa8sqp7VwqEc2Of3r4GmY2f/ wXqT1GsQGQ13XmvB5RjaOafnZyB0CrBjSKP/RyIaMMRCk7czKuudFpulQrptIMmt 4hwrokGUbmTftXhZd/RYbbhoPFH+eDbi38M8+HGPvFPh2zDAItcspKoLp04kNtLw 7Kht10XmexVCJQPAM11gLlH48q36goRAM4hF7Q9GePgZyJPRC1VhbZFj5eix0Htx M8bsm/q74Pb3S7c0niRzt5snxPeojMf/q0f1S7mUhxUAKVQSKiuyHzQmwQbbF+Cy y1/KuqvytHbVcAZovjuVsJtsm6vw9TGkezkCtTwVWHxW+7X9A7b/bI+6e1e7OsTH 3Kb3PskHlxvwXambYYAc0NqmRovGPVaLrF45YIrFoSfmX+Fe1gwWR7Lz0xRPd59Q W8sIiQZ1GK++O7IDaiFcDMcHDBFKiMmSu03HnFAwK5OFSbTIoL2Yw41z+m4BI7hL I7wtLyxvMD6DbFoVJWn0ZuOv/cwh9Rgs -----END CERTIFICATE----- alere.cer: revoked This Update: Aug 24 15:36:36 2017 GMT Next Update: Aug 25 15:36:36 2017 GMT Revocation Time: Oct 21 20:25:13 2016 GMT ****** Certificate not issued by PSC PROCERT ****** openssl ocsp -issuer procert.cer -cert other.crt -url http://ura.procert.net.ve/ocsp -noverify -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 5FDE1FB98448CCFDD9C8895B6DD19FEDA6D3FB11 Issuer Key Hash: 410F1938AA997F420BA4D7279854A2174C2D5154 Serial Number: 10E8CA61CDB9BD16C9C6107B898F08E7 Request Extensions: OCSP Nonce: 04102710801AE9A1AF49843533BE37A06B2A Responder Error: unauthorized (6) Comment 4 With the certificates that present problems, we are contacting the clients for the remission of these certificates, we hope that before Monday 28-08-17 this activity will culminate and solving the present bug
|
|
||
Comment 22•7 years ago
|
||
(In reply to alejandrovolcan from comment #21) > We have reviewed the comments, actually when the query is done using the > serial parameter, and query returns a response "good", we are reviewing this > to prevent it from happening, but this type of query is not common since the > standard However, this type of query is precisely what happens if you suffer a security breach and an attacker issues some certificates that you don't know about. This is what happened in the Diginotar case, and this is why the Baseline Requirements have prohibited returning "good" for unknown serial numbers for the past however-many years. Gerv
|
|
||
Comment 23•7 years ago
|
||
Note there are still outstanding questions, such as in Comment #20.
Flags: needinfo?(mozilla.psc.procert)
|
||
Comment 24•7 years ago
|
||
A Procert representative suggested at the tail of comment #21 that rolling out replacement certificates should have been completed before August 28, which was yesterday. As of 19:29 UTC, two of the certificates mentioned in comment #4 remain unrevoked: https://crt.sh/?id=175466182&opt=cablint, with private DNS names, and https://crt.sh/?id=151828400&opt=cablint, with a non-SAN CN. The former certificate is in fact still being served from https://mail.fospuca.com/. Procert has been aware of these misissuances for weeks and has been unable to take effective action. I am concerned about the technical and administrative capabilities of this CA.
|
|
||
Comment 25•7 years ago
|
||
comment 24 We waiting for a windows in our clients services to issue the new certificate and revoque the previos certificate. We already send a remainder email to the clients
|
|
||
Comment 26•7 years ago
|
||
Attached you can find the information of the annual audit of PSC PROCERT
|
|
||
Comment 27•7 years ago
|
||
comment 6 about the OCSP response we already asked the software vendor in order to get update or patch to resolve this issue, will be back as soon as possible
|
|
||
Comment 28•7 years ago
|
||
comment 5 About the serial number, we check the observation and validate our system. Please check the certificate in the URL www.procert.net.ve and validate the serial number
|
||
Comment 29•7 years ago
|
||
First at all, we declared that PROCERT is concerning to comply all the international regulation. We work continually in improve our procedures and systems. We apply the correctives to the problems declared into the bug and creates a new procedure inside PROCERT to prevent futures issues in those topics. We check and please find the inform: SSL issue There are some issues declared into the Bug. We detected problems issue in some certificates. PROCERT staff proceeded with the validation of this point, detected the problem and solve. Actions: We Contacted the clients and agree a revocation date, revoke all the certificates with problem and reissue the certificates with the standard complying, check the correct application of CA Browser Forum, implant a regular training program (including test (operational and theory) to our staff in order to prevent and solve any issue, finally proceed with a dismissal of one operator. Serial Number: After a technical validation, we proceeded to check the status of our certificates serial numbers. After CA configuration we validate and now we can inform that PROCERT certificates has 19 octets and more of 64 bits. OCSP issue - pending action: We have a problem with the OSCP Service. We found the Microsoft resolution for this problem in Microsoft TechNet. https://support.microsoft.com/en-us/help/2960124/the-online-responder-service-does-not-return-a-deterministic-good-for Microsoft This problem occurs because the OCSP does not verify with a confirmed source that the certificate was actually issued by its corresponding Certificate Authority. Instead, if a certificate is not included in the CRL, the Online Responder service assumes that the certificate is valid and returns a value of GOOD. Status Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. Microsoft Resolution To resolve this issue in Windows 8.1 or Windows Server 2012 R2, install update 2967917. For more information, click the following article number to view the article in the Microsoft Knowledge Base: July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 PROCERT action: When we applied the Microsoft tool, the system shows this message “In the Value data box, type the path to the directory you created in step 3 of the directory structure procedure and that contains the issued serial numbers, and then click OK.”. We refresh or restart the service, then, the OSCP registry is automatically deleted. For testing we use different versions of Windows Server (2008, 2012 and 2016) all the versions present the same result. Additionally we ask for an answer at Microsoft TechNet please https://social.technet.microsoft.com/Forums/windowsserver/es-ES/981f6e48-dc25-4eeb-a1d6-0bc72b9b4fc9/ocsp-online-responder-service-assume-a-certificate-that-is-not-included-in-the-crl-as-a-valid-and?forum=winserversecurity Now we stay contacting Microsoft in order to obtain and adequate procedure or batch. In paralleled we work in our own OCSP software.
|
|
||
Comment 30•7 years ago
|
||
As evidence, please validate a view of a Serial Number from a PROCERT certificate
|
|
||
Comment 31•7 years ago
|
||
(In reply to Oscar Lovera from comment #29) > To resolve this issue in Windows 8.1 or Windows Server 2012 R2, install > update 2967917. For more information, click the following article number to > view the article in the Microsoft Knowledge Base: July 2014 update rollup > for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 Why did your OCSP server not already have installed an "update rollup" patch which is dated July 2014? When was that server last updated? Gerv
|
|
||
Comment 32•7 years ago
|
||
PSC procert has a policy of periodic updating, following the weekly update scheme of microsoft, for example in our server was installed the last update KB4022750 the situation raised by the OCSP, and as indicated in comment 29 has been tested with recent server versions (2016) and the problem persists, reason for why we escalate to microsoft in order to solve this issue, That is the real issue here
|
|
||
Comment 33•7 years ago
|
||
PSC PROCERT is always open to observations to improve our policies and procedures, until the moment we have resolved all the observations based on the present bug and stay attention
|
|
||
Comment 34•7 years ago
|
||
We have a open ticket with Microsoft in order to solve the OCSP issue. The Ticket is 117091516348421.
|
|
||
Comment 35•7 years ago
|
||
PSC PROCERT in order to keep updated information about the bug, attach an update of each response that has been given previously in all points raised
|
|
||
Comment 36•7 years ago
|
||
In the following link you can find the CPS in English language https://www.procert.net.ve/documentos/CPS-PROCERT.pdf
|
|
||
Comment 37•7 years ago
|
||
|
|
||
Comment 38•7 years ago
|
||
Comment on attachment 8910943 [details]
Information update
Revocation proceeded as indicated in the attached file. Additional measures were taken to modify processes and included in the CPS and SSL PC pressures of the CA Browser Forum|
|
||
Comment 39•7 years ago
|
||
The following text serves to extend already the information previously given by the PSC PROCERT We proceed to report on the compliances made by PROCERT. This action extends the information already sent to the forum. PROCERT already has mechanisms to request the revocation of SSL certificates via telephone and email. From October 2, 2017 users can also request revocation through the website, through a registration system that will send secure email with password that the user must provide in turn to confirm the revocation of SSL and proceed in the AC. Comment 4 Already the mechanisms and means of validation of the OCSP was changed on the web page of PROCERT see https://www.procert.net.ve/eng/ca.html In reference to the serial number, we can indicate comment 30 this point is solved,in order to comply with section 4.1.2.2 of RFC 5280 RFC 5280 “Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serial Number values up to 20 octets. Conforming CAs MUST NOT use serial Number values longer than 20 octets” SSL Certificates. Revocation proceeded as indicated in the attached file. Additional measures were taken to modify processes and included in the CPS and SSL PC pressures of the CA Browser Forum The rest of the observations were followed according to the standard and the applicable norms and always in consideration of the observations of Mozilla. The annual audit was provided on the forum.
|
|
||
Comment 40•7 years ago
|
||
Comment on attachment 8912895 [details]
Mozilla SSL.xlsx
Revocation proceeded as indicated in the attached file. Additional measures were taken to modify processes and included in the CPS and SSL PC pressures of the CA Browser Forum|
|
||
Comment 41•7 years ago
|
||
Dear Mozilla CA Root Team, After reviewing Mr. Gervase's reply, referring to the exclusion of the PSC PROCERT from the Mozilla trust repository and having seen the antecedents existing in multiple previous cases, it is evident that in all cases it was offered through the bug of a mechanism of remediation and the ACs were adequately informed about the open observations and even in some cases are closed with simple statements about how the case is remedied. The technical aspects indicated in the bug and its answers are included below: 1. Serial Number does not meet the standard. RFC 5280, in section 4.1.2.2 states the following: “4.1.2.2. Serial Number The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer. Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets. Conforming CAs MUST NOT use serialNumber values longer than 20 octets. Note: Non-conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates” In addition, section 7.1 of the BR indicates the following: “Effective September 30, 2016, CAs SHALL generate non‐sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.” PSC PROCERT works with the Microsoft cryptography service, which has a CSPRNG inside the CryptoAPI library suite, which includes a CryptGenRandom function, which is a cryptographically secure pseudo-random number generator, this function was found by default in the generation of the short serial numbers, therefore we proceeded to modify the registry of the CA and activate the option of high serial, which comes by default deactivated (0), we proceeded to activate this registry, so that serials are generated under the parameters of the standard. In the following link you can see an example of a certificate with the appropriate serial number https://crt.sh/?id=204446748 After this action was taken, we proceeded to recognize the certificates with these problems and were notified to our clients that they should be revoked and reissued, the certificates denounced in the bug are revoked. PSC PROCERT is not the only one to present this case, QuoVadis and SwissSign, presented the same situation and the remediation was accepted. https://bugzilla.mozilla.org/show_bug.cgi?id=1391063 https://bugzilla.mozilla.org/show_bug.cgi?id=1391066 Note that the answers offered by QuoVadis and SwissSign were simple and not detailed; such as those offered by PROCERT, the response and follow-up on compliance was further expanded. We do not understand then why for other cases apply and for PROCERT not ?. 2.- Issues with SSL Certificates Issue D: URI in CN and dnsName SAN (December 2016) Issue G: Internal IP Address in SAN (March 2015 - March 2017) Issue I: CN Not Also In SAN (March 2016 - June 2017) Issue K: Internal DNS Names in Certificates (May - June 2017) Issue L: helloburgershack.com (June - July 2017) 2.1. Issue R: Incorrect Encoding of or Inappropriate Use of TeletexString (December 2015 - August 2017) Taking into account what was stated in the bug, the BR was reviewed and it indicates the following in section 7.1.4.2.2 “j. Other Subject Attributes All other optional attributes, when present within the subject field, MUST contain information that has been verified by the CA. Optional attributes MUST NOT contain metadata such as ‘.’, ‘‐‘, and ‘ ‘ (i.e. space) characters, and/or any other indication that the value is absent, incomplete, or not applicable.e.” In addition, section 7.4.2.1 states the following “7.1.4.2.1. Subject Alternative Name Extension Certificate Field: extensions:subjectAltName Required/Optional: Required Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate.” In order to remedy this situation, the affected customers were notified that the certificates had to be revoked and issued again, modifying the data with problems, then notified and with the window of time for customers to take these changes into account. level of their systems, the certificates were revoked and issued correctly. To avoid these errors in the future, PSC PROCERT proceeded to modify the CPS and PC, adding a section to inform our customers that any request for SSL certificate must comply with the standard of the CA Browser Forum, also within our system a filter was applied to avoid accepting the following parameters 1. Characters "-", ",", ".", ":", "/", And " " (Issue D) 2. Private IP addresses (Issue G) 3. Domains ending in * .local (Issue K) 4. Character accentuation (eg or) (Issue R) 5. Validator that both the CN and the SAN are the same values (Issue I) In addition to establishing internal review and validation mechanisms with the personnel that analyze the CSR and support our clients. A tool will also be incorporated to automate the analysis of CSRs. Such software is currently being tested in our quality environment to enter production. 2.2. Issue N: Other Names in Certificate SAN (2011 - August 2017 Referring to Issue N, the BR was reviewed and it was found that section 7.1.4.2.2 section i indicates the following “i. Other Subject Attributes All other optional attributes, when present within the subject field, MUST contain information that has been verified by the CA.” This indicates that another field can be included as long as it is information verified by the CA, in this case PSC PROCERT verifies the number of RIF that is the tax identification number of company in Venezuela of each company, which by definition is a registry destined to the legal control of taxes and in which natural or juridical persons, communities and entities or groups without legal personality, susceptible by reason of the goods or activities, of being subject or responsible for the Income Tax, the tax retention agents, and residents abroad without permanent establishment or fixed base, provided that the cause of the enrichment is or occurs in Venezuela. In conclusion, it is a requirement of Law in Venezuela and the company that omits to place it is sanctioned. Even PSC PROCERT can be sanctioned by the government in case of failure to include such information in the certificates. Each company that signs a contract with PSC PROCERT must present a copy of the RIF and the same is proceeded to validate against the national tax office, which in the case of Venezuela is SENIAT; The SUSCERTE that is the governing entity that regulates in Venezuela requires that in the structure of the certificate this information is placed in a field of the certificate identified with an OID for this purpose, which is 2.16.862.2. Therefore, it can be concluded that the standard is fulfilled and there is no default as such in Issue N. There are similar cases with accepted remediation CertSign https://bugzilla.mozilla.org/show_bug.cgi?id=1390979 GoDaddy https://bugzilla.mozilla.org/show_bug.cgi?id=1391429 Entrust https://bugzilla.mozilla.org/show_bug.cgi?id=1390996 The responses provided by PSC PROCERT are in line with those provided for similar cases by the CA’s above. 3. Issue T: Inappropriate Key Usage Value of "Key Agreement" (October 2016 - August 2017) Certificates with this Issue were revoked and notified to customers. In order to prevent this situation from being repeated, we proceeded to review the template with which the certificates were issued and the key Agreement was eliminated among the uses, in addition it was enabled so that this option can NOT be used later 4. Issue V: Failure to Respond Quickly To Problem Reports (August 2017) At this point and about the rapid response, we point out that at all times we have demonstrated since we were notified, willingness to solve this problem. Certificates that did not generate impact were automatically revoked. Please find attached our CPS and the evidence of SSL revocation. Please consider this evidence in order to reopen the PSC PROCERT case.
|
|
||
Comment 42•7 years ago
|
||
|
|
||
Comment 43•7 years ago
|
||
|
|
||
Comment 44•7 years ago
|
||
Please note that individual comparisons is not equivalent; the sum totality of issues - and how they have been handled, the timeliness of the response, and the thoroughness of the response - all factor in. Focusing on shared, individual issues demonstrates a failure to grasp the overall impact that the sum totality has upon trust, and how the process and incident response and management - from start to finish - is handled. > https://bugzilla.mozilla.org/show_bug.cgi?id=1391063 > > https://bugzilla.mozilla.org/show_bug.cgi?id=1391066 > > > Note that the answers offered by QuoVadis and SwissSign were simple and not > detailed; such as those offered by PROCERT, the response and follow-up on > compliance was further expanded. We do not understand then why for other > cases apply and for PROCERT not ?. This is, of course, not true. For example, consider Comment #5, dated 2017-08-16. Note that PROCERT did not meaningfully respond to this issue to acknowledge a change until Comment #29, on 2017-09-06. Compare https://bugzilla.mozilla.org/show_bug.cgi?id=1391063#c0 (2017-08-16) to https://bugzilla.mozilla.org/show_bug.cgi?id=1391063#c4 (2017-08-18) and the facts surrounding it. The attempt to suggest these are equivalent responses demonstrates the underlying issue, which is a substantial lack of appreciation for the seriousness of the issues or the expectations upon CAs > To avoid these errors in the future, PSC PROCERT proceeded to modify the CPS > and PC, adding a section to inform our customers that any request for SSL > certificate must comply with the standard of the CA Browser Forum, also > within our system a filter was applied to avoid accepting the following > parameters This was already required for 5 years (since the BRs), and for 3 years (since 2014) for Mozilla. I hope you can see why this is not particularly reassuring that you didn't already have such a control. > In addition to establishing internal review and validation mechanisms with > the personnel that analyze the CSR and support our clients. A tool will also > be incorporated to automate the analysis of CSRs. Such software is currently > being tested in our quality environment to enter production. This fails to respond to the substance of the issue - of why PROCERT was in non-compliance so long, failed to detect such non-compliance, and failed to monitor and update its systems according to the Baseline Requirements. > Therefore, it can be concluded that the standard is fulfilled and there is > no default as such in Issue N. This is, of course, false, considering the text you quoted in the very message. 7.1.4.2.1. Subject Alternative Name Extension Certificate Field: extensions:subjectAltName Required/Optional: Required Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. An otherName is neither a dNSName nor an iPAddress. Therefore, this is violated. This is an example of the concerns with PROCERT not understanding or appreciating the technical requirements, and overall undermines faith in PROCERT. > 4. Issue V: Failure to Respond Quickly To Problem Reports (August 2017) > At this point and about the rapid response, we point out that at all times > we have demonstrated since we were notified, willingness to solve this > problem. Certificates that did not generate impact were automatically > revoked. The level of understanding and thoroughness is clearly not met through these responses.
|
|
||
Comment 45•7 years ago
|
||
Gerv: Is this a Resolved/WontFix or Resolved/Duplicate in light of https://bugzilla.mozilla.org/show_bug.cgi?id=1403549 and https://bugzilla.mozilla.org/show_bug.cgi?id=1405862
Flags: needinfo?(gerv)
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(gerv)
Resolution: --- → DUPLICATE
|
||
Updated•1 year ago
|
Product: NSS → CA Program
|
||
Updated•1 year ago
|
Whiteboard: [ca-compliance] → [ca-compliance] [uncategorized]
You need to log in
before you can comment on or make changes to this bug.
Description
•