Closed Bug 1391064 Opened 2 years ago Closed 2 years ago

SECOM: Non-BR-Compliant Certificate Issuance

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: h-kamo)

References

Details

(Whiteboard: [ca-compliance])

The following problems have been found in certificates issued by your CA, and reported in the mozilla.dev.security.policy forum. Direct links to those discussions are provided for your convenience.

To continue inclusion of your CA’s root certificates in Mozilla’s Root Store, you must respond in this bug to provide the following information:
1) How your CA first became aware of the problems listed below (e.g. via a Problem Report, via the discussion in mozilla.dev.security.policy, or via this Bugzilla Bug), and the date.
2) Prompt confirmation that your CA has stopped issuing TLS/SSL certificates with the problems listed below.
3) Complete list of certificates that your CA finds with each of the listed issues during the remediation process. The recommended way to handle this is to ensure each certificate is logged to CT and then attach a CSV file/spreadsheet of the fingerprints or crt.sh IDs, with one list per distinct problem.
4) Summary of the problematic certificates. For each problem listed below: number of certs, date first and last certs with that problem were issued.
5) Explanation about how and why the mistakes were made, and not caught and fixed earlier.
6) List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
7) Regular updates to confirm when those steps have been completed.

Note Section 4.9.1.1 of the CA/Browser Forum’s Baseline Requirements, which states:
“The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: …
9. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement; 
10. The CA determines that any of the information appearing in the Certificate is inaccurate or misleading; …
14. Revocation is required by the CA’s Certificate Policy and/or Certification Practice Statement; or 
15. The technical content or format of the Certificate presents an unacceptable risk to Application Software Suppliers or Relying Parties (e.g. the CA/Browser Forum might determine that a deprecated cryptographic/signature algorithm or key size presents an unacceptable risk and that such Certificates should be revoked and replaced by CAs within a given period of time).

However, it is not our intent to introduce additional problems by forcing the immediate revocation of certificates that are not BR compliant when they do not pose an urgent security concern. Therefore, we request that your CA perform careful analysis of the situation. If there is justification to not revoke the problematic certificates, then explain those reasons and provide a timeline for when the bulks of the certificates will expire or be revoked/replaced. 

We expect that your forthcoming audit statements will indicate the findings of these problems. If your CA will not be revoking the certificates within 24 hours in accordance with the BRs, then that will also need to be listed as a finding in your CA’s BR audit statement.

We expect that your CA will work with your auditor (and supervisory body, as appropriate) and the Root Store(s) that your CA participates in to ensure your analysis of the risk and plan of remediation is acceptable. If your CA will not be revoking the problematic certificates as required by the BRs, then we recommend that you also contact the other root programs that your CA participates in to acknowledge this non-compliance and discuss what expectations their Root Programs have with respect to these certificates.


The problems reported for your CA in the mozilla.dev.security.policy forum are as follows:

** Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters)
https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ
Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case.
Dear Kathleen-san,

Thank you for the notice.
We are now contacting the customer and also going to undertake technical measure to avoid this kind of error in the future.
Greetings. It has been one week, and no answer to the above matters has been provided.

When can we expect an update from SECOM on each of the items listed, 1-7, in Comment #0?
We apologize for delay.
Let us update for items 1) to 7).

1)
We aware of the problem via the discussion in mozilla.dev.security.policy on August 16, and via this Bugzilla Bug on August 17.

2) 
We will confirm to stop the further issuance of certificates with this problem.

3)
27300E0A50486C9E
-----BEGIN CERTIFICATE-----
MIIE/TCCA+WgAwIBAgIIJzAOClBIbJ4wDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB
IC0gRzQwHhcNMTYwOTEzMDkwNzE4WhcNMTgxMDE0MDkwNzE4WjCBkDELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg
T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI
BgNVBAsTAS0xHjAcBgNVBAMTFW1haWwubWVkLnVvZWgtdS5hYy5qcDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALI4lNHmUdIAgBOGFoIg4Zx0ZFanaZUL
f7E1czUMaKLh6fhmW5uuOtEu8kynX0ongoRPWOJA2eDPW66zTY8b/6EAreOFmarv
7Fq8eanjScInP+qzFphDxbhLZqhIOS/KhW6HufyTNkH+azXLFO/wVSs0pJDMWSt7
AMhUROkxia8DMX7qA1DKyxXIStl024iyVCHonf/c/vAx6zHB652P6PdG6SX6/rGl
iOzU7qFyuYf1PbBk0ec6nfT19IpzeQEzChbW36kPHTGabIZDJAPlBmoiu30JMOeW
MCDRJ8FBSO6gikP5lGzbwFPI9YVg2ejkCx3Z6utUUra/zLvyTbJ8eDMCAwEAAaOC
AXswggF3MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAW
gBQZC285HzEDNF/k0kAfN+aN52I5fDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8v
cmVwbzEuc2Vjb210cnVzdC5uZXQvc3BwY2EvbmlpL29kY2EzL2Z1bGxjcmxnNC5j
cmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQKu5Ad+cIFQxqJgwLL9zXsOare
zDBaBgNVHSAEUzBRME8GDCsGAQQBgfwIAwIBATA/MD0GCCsGAQUFBwIBFjFodHRw
czovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3BwL2Nwcy9pbmRleC5odG1sMDwG
CCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL25paWc0Lm9jc3Auc2Vj
b210cnVzdC5uZXQwIAYDVR0RBBkwF4IVbWFpbC5tZWQudW9laC11LmFjLmpwMA0G
CSqGSIb3DQEBCwUAA4IBAQAzl6UQixzazheSwqiEdGsMer/Ud1huu+f62lhJGoSm
Dx0oDlWGTuD3kf/OsU46cnT35ttSA1jRKmgiuQ/mw+8o+8qE4yDgW+hm26O60HTw
cC8yeYwqJwipjoc7fCXiflY6qGcONnuicGVG7SmqsM+ZRXiLef0LYmtBxrVmjgiU
juHPVud4N3eKbFlhyjgaCoaSIOzdVk2O2S9CSuZFMYqfj+4E+/x3aQ7MvY6NZaS0
VGuopAkQ5J9zq8WZVXSX6U7KNlZPeZP70/mtH3Y/VcClmW6galqU9R1GRP5QLZQP
dtzwKJ69K+NfOxtKS6+z1XTWoJFRzip1Qcai2bAMdXAJ
-----END CERTIFICATE-----
373EFC2527849B71
-----BEGIN CERTIFICATE-----
MIIFEDCCA/igAwIBAgIINz78JSeEm3EwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB
IC0gRzQwHhcNMTUwNjIyMDQ1NzA0WhcNMTcwNzIyMDQ1NzA0WjBgMQswCQYDVQQG
EwJKUDEQMA4GA1UEBxMHQWNhZGVtZTEYMBYGA1UEChMPU2FnYSBVbml2ZXJzaXR5
MQowCAYDVQQLEwEuMRkwFwYDVQQDExB3d3cuc2FnYS11LmFjLmpwMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1EtP0H7LJCKYMBkdA6n0QA0x6dxOu1ao
w+0+sSTq9mMyCocKohPrLUaKHCAyZQFKFntIDmmemtPtSjVYA1Pi7uycmJlj8EFy
nZCOVpT2zR9kdaynhRNa0wwASHdRDB8gflHOlJrERL6U8xeLOV9IEPYLRkG8JKHB
Vx4FiYRXd760zZmlXfdGdagDxBLqo6RL9Ukq9GbvRhWbKpQcC5w6IR/rhzVSwmDm
i/8DX5Y7AzThHeK3DYuFMfVyidHfajmVT2UYQRBgj/Hq3zCoCmJRLEngw9zaW+5a
J410dddMR9M2oKBUwOC7g2/bkMG9lEsb+4PfJ2yhZDQpWvC0BRbf1QIDAQABo4IB
vzCCAbswHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaA
FBkLbzkfMQM0X+TSQB835o3nYjl8MEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9y
ZXBvMS5zZWNvbXRydXN0Lm5ldC9zcHBjYS9uaWkvb2RjYTMvZnVsbGNybGc0LmNy
bDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFByQvPnblLRJzBiY2q9RVMkXOzE1
MFoGA1UdIARTMFEwTwYMKwYBBAGB/AgDAgEBMD8wPQYIKwYBBQUHAgEWMWh0dHBz
Oi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BjcHAvY3BzL2luZGV4Lmh0bWwwPAYI
KwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vbmlpZzQub2NzcC5zZWNv
bXRydXN0Lm5ldDBkBgNVHREEXTBbghB3d3cuc2FnYS11LmFjLmpwghR3d3cuc2Fv
LnNhZ2EtdS5hYy5qcIIZd3d3LnNjLmFkbWluLnNhZ2EtdS5hYy5qcIIWd3d3LnN1
aGNjLnNhZ2EtdS5hYy5qcDANBgkqhkiG9w0BAQsFAAOCAQEAIEzT43YvfGghwJGv
s38pH3kYKwEeA71KW0k3ER4tDUNOOkt4r/RhcURAqYTm0qouGYra8Aip+8equziV
BdxHy7Y22sj2M2wdj18yAvO00Ujg9Fh8CAdJdQOVpnUQ7KzqlNPSdu9xdLm5/6NS
iy09SO0pdTZm+x9649pzlYDD2EsomUHbSmvfzGSv0Tjj0OQEVvyCTGsu4n1AsOzM
70pHR5/Bv0YgIMiOYe9K8EBjBjSD9VQA4ogohE6nvv1q8NhMnAcAcVbI+lqtoUaU
D+sR1WWXpPF1VsIgvI1IJzqqgbI8e1TJBxrej62zcLXwBVaYiCQzfTB2gdv74X8a
7HRhRg==
-----END CERTIFICATE-----
4EB686367A460484
-----BEGIN CERTIFICATE-----
MIIFBTCCA+2gAwIBAgIITraGNnpGBIQwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB
IC0gRzQwHhcNMTcwMjE0MDUzMjMwWhcNMTkwMzE3MDUzMjMwWjCBlDELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg
T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI
BgNVBAsTAS0xIjAgBgNVBAMTGXMycHViYWRmLnB1Yi51b2VoLXUuYWMuanAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcVIHpbCyQemPFbAz0hcPz5Ixw
QYOhV7a/Xe0O+ypq7LDWqECBRv5mh522ZiuTDCXcuTHtVI3gidKZA9ZExaCcmtbh
fQyGG/of/swhnFj69Djvmi6NGU8m34YT5KPWLs96sd25xdDXxzuAn6IwfsGEx8Tq
7Gk5k+jkU48/GA8350oL3w3z3SsGEEbLx6tZnxeCIOZ5Hp32HkjPkRNKA0/7cn1r
2RCDce1557bcDGzsebX+OaWnvcs3GAR946D+RX8hjj6gE2FIOMAEeePGx9Y40V30
G6NHrd6w6+5RIY1wmi8ABK2Fqki8Fhg32mOtgaOhajLPgLkfoiSZske/D0fTAgMB
AAGjggF/MIIBezAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0j
BBgwFoAUGQtvOR8xAzRf5NJAHzfmjediOXwwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0
cDovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwcGNhL25paS9vZGNhMy9mdWxsY3Js
ZzQuY3JsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUlr3OxS9eJkW1Ll3jgrAf
dPE/GxowWgYDVR0gBFMwUTBPBgwrBgEEAYH8CAMCAQEwPzA9BggrBgEFBQcCARYx
aHR0cHM6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9jcHMvaW5kZXguaHRt
bDA8BggrBgEFBQcBAQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9uaWlnNC5vY3Nw
LnNlY29tdHJ1c3QubmV0MCQGA1UdEQQdMBuCGXMycHViYWRmLnB1Yi51b2VoLXUu
YWMuanAwDQYJKoZIhvcNAQELBQADggEBAEhkpPcYpHFPk3wsW7Y7mzQUhMFCotRC
320qoYzsnvApUbRUJ2O2hGbWUcJdGOzuZqXHnDTrVfbDHSxLyex4gfAp8s4lSwJf
1Sz2JR3FSBIcYcOCX7pC5ngCYp487ggTZvm8N2y74B6Ef8fkmQb1kkWXjj4i3/1Q
qDRygT4kMf/EXPrgNpxqaCLQUY6kYYhbuTqnkCAyqFlrKx4BqZ8i43dI2f4mamok
69wSeIrVbVTOd+tVZCQze4bKEEUjFkZVNP1N6skP4UrT8ln6aM6WybSyQoN2Zpoa
JD8C5s2O/SU/E5UNcV7u3EV1IWzrkEol8mA822odCJiuc8/2SBe+5qE=
-----END CERTIFICATE-----
5FC1415746FF9634
-----BEGIN CERTIFICATE-----
MIIE2DCCA8CgAwIBAgIIX8FBV0b/ljQwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB
IC0gRzQwHhcNMTYwMzI4MDIyNzI1WhcNMTgwNDI4MDIyNzI1WjBvMQswCQYDVQQG
EwJKUDEQMA4GA1UEBxMHQWNhZGVtZTElMCMGA1UEChMcS3lvdG8gUHJlZmVjdHVy
YWwgVW5pdmVyc2l0eTEKMAgGA1UECxMBLjEbMBkGA1UEAxMSZndsaWIxMDEua3B1
LmFjLmpwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuikyh0EOCUFM
5QLP1y7e4J5Tt5fEAbiO29gEekeFZCx72Pf2xEBU7HC9ToRTA55ETipI4gIfw1cC
dnhkAdE3xet8XvGhkM56KjtRlnYwEAMiYBRbVFjePuVxYWhjargAJOKAT62weiIJ
b3FWIw/jhsW/8UC0LfxlYFIPDOcQL8Cyt41+otht3Sl+oPCaOU4F0cKAqAcdMkx5
K0LdZuMRQHyCzaxmLwr9TAaMU08qOMhdaq34MLase IaQrWFF/WR8Sali3kGg6fFuG1A
bYkmPulFkhcb8C03gyBL2WohyyYMMf8JDfRPUQWhlfQQ2pRjy5+B5JwaBjDLM0c2
e57Z8jWEwwIDAQABo4IBeDCCAXQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMB8GA1UdIwQYMBaAFBkLbzkfMQM0X+TSQB835o3nYjl8MEoGA1UdHwRDMEEw
P6A9oDuGOWh0dHA6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcHBjYS9uaWkvb2Rj
YTMvZnVsbGNybGc0LmNybDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFL/3c9Qy
Zi3P/C8H5iHDPJUkHzyiMFoGA1UdIARTMFEwTwYMKwYBBAGB/AgDAgEBMD8wPQYI
KwYBBQUHAgEWMWh0dHBzOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BjcHAvY3Bz
L2luZGV4Lmh0bWwwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v
bmlpZzQub2NzcC5zZWNvbXRydXN0Lm5ldDAdBgNVHREEFjAUghJmd2xpYjEwMS5r
cHUuYWMuanAwDQYJKoZIhvcNAQELBQADggEBAIQ//2/ykIQTUz8t2BjvMFZW5nrS
zwGIeApARroHESA3+Mx+nbnfBBLkFqqIwcFnj5SzMGusDcHTNto4lntMiy2nEuxK
dkXMrsiY5XxPyW0LOzp/4K6bTPdPFSEgjRrSQYcQB4nwiaO8kliE2MIzbEeX34iK
z0qjasurbDaVhXinwEeJ9xP9FEAZY3WJ5oomMEWqKenmfNYty87g5Eqrzh9kg9tx
BPbCJ7JALF3EDnicUmlBglLhy7CPuO7XX1bV2RtE7Twv/Fp3KKBOXCLEvk/BSsw0
2Bwv2eEmf39n9CYoquCpWNF6fOMXpKs8b5KRkci2Ymv7VVIRpxz3hkgN6JU=
-----END CERTIFICATE-----
614CF312272907F0
-----BEGIN CERTIFICATE-----
MIIE8zCCA9ugAwIBAgIIYUzzEicpB/AwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB
IC0gRzQwHhcNMTYwOTA3MTAyMjE3WhcNMTgxMDA4MTAyMjE3WjCBizELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg
T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI
BgNVBAsTAS0xGTAXBgNVBAMTEHd3dy51b2VoLXUuYWMuanAwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDWIRgbIf+0BP0kzNZu31ZrRVBpnq+KGeiI9q50
moOKrYBp7aMKu86Q+Uy2Sbk+1RLebhbQnaZ1TqLOAT3zo95mHAK3sxhHf/9LSPva
OvHPhVTX1nLz7HiRYe5BE37+hlvt1/raxJwi7Jbb0+eL0leL1/9OQdE5JTzWN0q0
utMnT6J5SZdtOM6EVhRcEIByNE4vTUoGxm0pPyg0uLmIV9Yh3b7/XovPrn3LKwj4
lp744hL0a9VIcRCtmuG5nPU25YgFFeR8XbQawx9deqpQPdEcPgyjj9wUfD1O0h6a
ydqZiE8t30eXxMmz/0CM71QwV9pw+JaL+YIzoo8lAzmpG3YrAgMBAAGjggF2MIIB
cjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUGQtv
OR8xAzRf5NJAHzfmjediOXwwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3JlcG8x
LnNlY29tdHJ1c3QubmV0L3NwcGNhL25paS9vZGNhMy9mdWxsY3JsZzQuY3JsMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUs1PcP34TpQ+kuBT0nDrhfgyY3oAwWgYD
VR0gBFMwUTBPBgwrBgEEAYH8CAMCAQEwPzA9BggrBgEFBQcCARYxaHR0cHM6Ly9y
ZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9jcHMvaW5kZXguaHRtbDA8BggrBgEF
BQcBAQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9uaWlnNC5vY3NwLnNlY29tdHJ1
c3QubmV0MBsGA1UdEQQUMBKCEHd3dy51b2VoLXUuYWMuanAwDQYJKoZIhvcNAQEL
BQADggEBADP4dQQe32TY/pTC3uheCQ4d4lj2zJuKZVPIHG1Znv5YIqjo7rAuV6ah
s6t+DL54DfKc1hjDw5Kgq2XNFsk8v/e2wQuHI4ucMxswhXECgtQqGwvAmW7S2aY7
QTg4SGyWaBcwB1D1JCIHaDfkJ5NYpojCAX8I4016cRnk41qtbecV5hMXLrRax7GZ
49PEFZoN4xLqW1b7y8xtXJaSdO1LLCnwH4HfQdPBEDqCWqnGeJpdTx9mw9Igx1sp
5XJK4gbVs8+SMD6PpSgR5q0esKh7itvjcyzl1PTurfXh/ogQuRQoFOHTqKr2qKlk
7seHW+siEU14MOUi4Ac2jlKvBShoQMA=
-----END CERTIFICATE-----
6CB2E1EBCBC9D1CD
-----BEGIN CERTIFICATE-----
MIIFBTCCA+2gAwIBAgIIbLLh68vJ0c0wDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB
IC0gRzQwHhcNMTcwMjIyMTEzODU4WhcNMTkwMzI1MTEzODU4WjCBlDELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg
T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI
BgNVBAsTAS0xIjAgBgNVBAMTGXMycHViYWRmLnB1Yi51b2VoLXUuYWMuanAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+plI1oOgjMsg+qwJDHnFVIJdy
VdvUqBvvUbNZVxtHYScg3U+gikud8KKdIfiD63upaEIgZgDtAE/DRD3kvpqDjGaS
V0T1P7jpKO8S+KGXcwC7Owl0zpmwcUhUZDpIekidgRXfTsQggMZdKDAeNSLOxZoZ
y6+e2RexAaSSVCaP0RCmf4hcAnBaOWfBFfNIoroc8cTXzZAqSHycK31vpRY0oEph
alIX63oXDpuH1F6HuAoSvFzhO0clfZ8/kD41+UxduWCPfgcsTRXEw/1UVPnJ9Vek
TytSph2zqi1bLiYCyn5WUT07XtDAieBOFO0XORH5xmRW77vvKGsQNNBGZUEtAgMB
AAGjggF/MIIBezAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0j
BBgwFoAUGQtvOR8xAzRf5NJAHzfmjediOXwwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0
cDovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwcGNhL25paS9vZGNhMy9mdWxsY3Js
ZzQuY3JsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUK0WBw7ztKVNFLshfU08w
sBeKqvQwWgYDVR0gBFMwUTBPBgwrBgEEAYH8CAMCAQEwPzA9BggrBgEFBQcCARYx
aHR0cHM6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9jcHMvaW5kZXguaHRt
bDA8BggrBgEFBQcBAQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9uaWlnNC5vY3Nw
LnNlY29tdHJ1c3QubmV0MCQGA1UdEQQdMBuCGXMycHViYWRmLnB1Yi51b2VoLXUu
YWMuanAwDQYJKoZIhvcNAQELBQADggEBAGDO32atFPWS6eTufuRbC4WJmDeH23Sr
kJm6awPiLdttg0cvyWty6d6UcJ23hoYzv88EGtSWShmemnJDTAi6E2IYufT4bqp0
kULNwXPJp44H/oPVaBr33tcGY5ryrToTygg2O50E2tQFb4N7kt4Eghf96mss4u4v
XSBMotcy6tnva5IayVoYjfwVAJ3NntMS6ypkp+Wtnl4uTp5/gXiyEQ8Tv47+jwXo
t8IEb1CMw9ep2Sh7yg1xu7aTJPzN188u7QkyT3Q0vTyUJ4SYGOMiuj21bngqMI9+
1JouW0mLRs7xUqtiNcoDTOH+olIgqBPxYYuNpvrghmogkWg1wfxwOXk=
-----END CERTIFICATE-----
764589145D04A048
-----BEGIN CERTIFICATE-----
MIIE/zCCA+egAwIBAgIIdkWJFF0EoEgwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB
IC0gRzQwHhcNMTYxMjA5MDczNzI4WhcNMTkwMTA5MDczNzI4WjCBkTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg
T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI
BgNVBAsTAS0xHzAdBgNVBAMTFnJhc2luLm1lZC51b2VoLXUuYWMuanAwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpZKkM2qQvjLZOGVKzFmlMJML37Pz7
aAuyaWezNO9xEjFvf/SozTW9hPclvE14L9Yg/cuObe/bNchjSgL5CGVh0PGlOpud
uGVKu/10wClpboMGoYrE1Rt1CNXz/hbR0H4IVgMTVlvXnVT9TJxG0CsE7bGhSCzo
KNABsPH3yjYTymh/Qsg8CkCStTjoc4ywHJJ5uiVjuIxfgLoQ6yYCVA2PlqhabxcJ
aLb/ML7KledtYwLHQFmXM+HMG1PFKbAWZY0H94n4lUw/cducI78OFRzNq2Sv5xKq
hlTwT+zY6sKmE0pshvz5hzA0qiUbqgSvGjRuy6TrhflC1Ez4bZiHE5R/AgMBAAGj
ggF8MIIBeDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgw
FoAUGQtvOR8xAzRf5NJAHzfmjediOXwwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDov
L3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwcGNhL25paS9vZGNhMy9mdWxsY3JsZzQu
Y3JsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUUj9vlY5jHNlecCiCG8jeKCMr
ZhUwWgYDVR0gBFMwUTBPBgwrBgEEAYH8CAMCAQEwPzA9BggrBgEFBQcCARYxaHR0
cHM6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9jcHMvaW5kZXguaHRtbDA8
BggrBgEFBQcBAQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9uaWlnNC5vY3NwLnNl
Y29tdHJ1c3QubmV0MCEGA1UdEQQaMBiCFnJhc2luLm1lZC51b2VoLXUuYWMuanAw
DQYJKoZIhvcNAQELBQADggEBAB/pROwS3IzHZlYljcoRc3ArOxsv8+zHSYD3uTAM
S5VFxSMlRa+fM/hOGxZJGoAbNT+1chBuC5irikUglPIz8DzwIXN5zHChWqQqk46v
IuwH9VErM2UD18UWmNgmxIu7/7XsOz2HxjA1cMmLCH9rmZW+JV3w8Wt8G/RGP+Zu
e0cmonoaRrYgzoXLCR4X4YuRodlx8GtZXzCp6paFh6EJZAo5+ZicTesMMe1/bJyG
VM8a9mEUWEJ0i86a2fLdi/RYhDO1DGGDFTXUCsFNsnfaCoE4M9o0KZREEc3lm1Zm
HyZbvRWiMXbdGQNSEMyH1TbzUvbgvX0bC7mxXGXu9roU+RI=
-----END CERTIFICATE-----
7C5667B49DB30931
-----BEGIN CERTIFICATE-----
MIIEzjCCA7agAwIBAgIIfFZntJ2zCTEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB
IC0gRzQwHhcNMTYwNTE5MDQxNzE5WhcNMTgwNjE5MDQxNzE5WjBqMQswCQYDVQQG
EwJKUDEQMA4GA1UEBxMHQWNhZGVtZTElMCMGA1UEChMcS3lvdG8gUHJlZmVjdHVy
YWwgVW5pdmVyc2l0eTEKMAgGA1UECxMBLjEWMBQGA1UEAxMNdnBuLmtwdS5hYy5q
cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANlXlUnvkcT8omhZbVne
RKQcd1DQJ9OXgqNfjyjQLrAI4ue52359JrpGbR0V2A//8xLG0SifX7Xy5208nHYK
ms6CNhDrMDYmfcVGXYpJGQpkn7m8YABhcfA4QWLHz5XHkzF1kli86N6+RtOEMVGr
EhUJ9aBjd7ipmAyxYFIu6vI4LeGUK9LfzWmz8RknX9hDRVZPj7jR6gNlq/7vG2ZR
3xFJRHkOFsKEMOh6nW1Y0H0abl1gCHBoH41iEoHvwFH86iz7gW79MfiAarKyhXVg
VrRVtYEuhXVL2MNfttzODz9SwWmeWMOiqMj15R6xr48G3ANFNCGQTyPrdAVhxZyH
ErUCAwEAAaOCAXMwggFvMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAf
BgNVHSMEGDAWgBQZC285HzEDNF/k0kAfN+aN52I5fDBKBgNVHR8EQzBBMD+gPaA7
hjlodHRwOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BwY2EvbmlpL29kY2EzL2Z1
bGxjcmxnNC5jcmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQJzgQYOD8sjSoc
23IrZGerhFkrnjBaBgNVHSAEUzBRME8GDCsGAQQBgfwIAwIBATA/MD0GCCsGAQUF
BwIBFjFodHRwczovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3BwL2Nwcy9pbmRl
eC5odG1sMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL25paWc0
Lm9jc3Auc2Vjb210cnVzdC5uZXQwGAYDVR0RBBEwD4INdnBuLmtwdS5hYy5qcDAN
BgkqhkiG9w0BAQsFAAOCAQEAI4+9/vx3mFDelwEyUgObwc9mSsnW6D5C7mulP33l
XGHGFvEZ/wlrR4QTZOd+E9FQ1p2lKER5GI70UqmQkGu8n+R+0Z8IBv/kMGi7y/Z3
2lpAfTQxUCYdLOPvbUfQCNraGhsmeHt0+bPp7WbcloVjR5WtjXpzVBIKreQVAC1d
L4igNbhw6PY1r52Cns6jTwC+a9sk1i9hXSjoskcGzr8IvLCTIwnTiDgM2x4uCk5n
cQ4IjvKAdTQNP14BisQafDc8HDwtu60GxGFIQzLs7FGFu/h52ztSzqRaeLmxJS0i
cou2o16I5Xig0mtziMlFTvU/m+C2vu1fz8KyrFlvdkdJbg==
-----END CERTIFICATE-----
7C95E5344C0D83AF
-----BEGIN CERTIFICATE-----
MIIE/TCCA+WgAwIBAgIIfJXlNEwNg68wDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB
IC0gRzQwHhcNMTcwMjIyMDcyMjQ0WhcNMTkwMzI1MDcyMjQ0WjCBkDELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg
T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI
BgNVBAsTAS0xHjAcBgNVBAMTFXMycHViYWRmLnVvZWgtdS5hYy5qcDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6mUjWg6CMyyD6rAkMecVUgl3JV29So
G+9Rs1lXG0dhJyDdT6CKS53wop0h+IPre6loQiBmAO0AT8NEPeS+moOMZpJXRPU/
uOko7xL4oZdzALs7CXTOmbBxSFRkOkh6SJ2BFd9OxCCAxl0oMB41Is7FmhnLr57Z
F7EBpJJUJo/REKZ/iFwCcFo5Z8EV80iiuhzxxNfNkCpIfJwrfW+lFjSgSmFqUhfr
ehcOm4fUXoe4ChK8XOE7RyV9nz+QPjX5TF25YI9+ByxNFcTD/VRU+cn1V6RPK1Km
HbOqLVsuJgLKflZRPTte0MCJ4E4U7Rc5EfnGZFbvu+8oaxA00EZlQS0CAwEAAaOC
AXswggF3MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAW
gBQZC285HzEDNF/k0kAfN+aN52I5fDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8v
cmVwbzEuc2Vjb210cnVzdC5uZXQvc3BwY2EvbmlpL29kY2EzL2Z1bGxjcmxnNC5j
cmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQrRYHDvO0pU0UuyF9TTzCwF4qq
9DBaBgNVHSAEUzBRME8GDCsGAQQBgfwIAwIBATA/MD0GCCsGAQUFBwIBFjFodHRw
czovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3BwL2Nwcy9pbmRleC5odG1sMDwG
CCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL25paWc0Lm9jc3Auc2Vj
b210cnVzdC5uZXQwIAYDVR0RBBkwF4IVczJwdWJhZGYudW9laC11LmFjLmpwMA0G
CSqGSIb3DQEBCwUAA4IBAQAndxjLPgg5/rckyXpWABViVvAGW5NgmFu2irUKr/pr
+qH0up5YgFPUDoxHdCGT68cH7LrawhEfHL1b8+HDrLuWj2SEEXqgnP0lXk2atqCz
vXR++Pnd25TOXroxYeycfNH61f8HD8fmDjTdczR1uesgxpEMgXK4yN33yX7so+Z2
s1mT9Ayh+1N5m9IjQtFxayVKXbDI9OLYSBZG9jDkG73+qXRuzk4bnjk2unZMAZrQ
YIQLxQZWf5+4lziuJXrG4NSHp7iurRoEKo5+VNi7j6/wAOSSxIDNa+kUbyDlRdoS
2xO0qajVrqNykpTHQMVQ/UfNxrmONvgrhhhF05okWiyW
-----END CERTIFICATE-----

4)
We have found nine certificates whose subject DN has an attribute with metadata as its value.
The last one was issued on 2017-02-22.
While one is already expired, eight certificates are still valid.  The last one will expire on 2019-03-17.
All nine certificates have problem in OU.  We have not found certificates with other attribute(s) with metadata as its/their value.  
Six certificates have '-', three certificates have '.'.  We have not found any certificates whose subject DN has attribute(s) with a single space character ' '.

5)
Although the strict procedures are stipulated as a total verification procedure, there are variations in the skill of RA members for checking details of CSR (recognition of usable characters), and then this mistake was made.

6)
1. Detailed description for the manual and awareness raising to prevent this problem.
2. Enhanced education and to be more sensitive for RA members.
This will be implemented thoroughly while presenting NG cases.
3. Technical measure for check to prevent this kind of problem.
   (Rejecting issuance by system in case of nonstandard character string)
Regarding the timeline, we are planning to build the technical measure in January 2018.
We will implement countermeasures for the operations 1 and 2 to prevent recurrence until that time.

7)
We will update according to the progress of the situation.

Thank you for your consideration.
The fourth certificate was broken.
It should be the following (11th line had excess "ASE " in the middle):
-----BEGIN CERTIFICATE-----
MIIE2DCCA8CgAwIBAgIIX8FBV0b/ljQwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE
BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB
IC0gRzQwHhcNMTYwMzI4MDIyNzI1WhcNMTgwNDI4MDIyNzI1WjBvMQswCQYDVQQG
EwJKUDEQMA4GA1UEBxMHQWNhZGVtZTElMCMGA1UEChMcS3lvdG8gUHJlZmVjdHVy
YWwgVW5pdmVyc2l0eTEKMAgGA1UECxMBLjEbMBkGA1UEAxMSZndsaWIxMDEua3B1
LmFjLmpwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuikyh0EOCUFM
5QLP1y7e4J5Tt5fEAbiO29gEekeFZCx72Pf2xEBU7HC9ToRTA55ETipI4gIfw1cC
dnhkAdE3xet8XvGhkM56KjtRlnYwEAMiYBRbVFjePuVxYWhjargAJOKAT62weiIJ
b3FWIw/jhsW/8UC0LfxlYFIPDOcQL8Cyt41+otht3Sl+oPCaOU4F0cKAqAcdMkx5
K0LdZuMRQHyCzaxmLwr9TAaMU08qOMhdaq34MLIaQrWFF/WR8Sali3kGg6fFuG1A
bYkmPulFkhcb8C03gyBL2WohyyYMMf8JDfRPUQWhlfQQ2pRjy5+B5JwaBjDLM0c2
e57Z8jWEwwIDAQABo4IBeDCCAXQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMB8GA1UdIwQYMBaAFBkLbzkfMQM0X+TSQB835o3nYjl8MEoGA1UdHwRDMEEw
P6A9oDuGOWh0dHA6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcHBjYS9uaWkvb2Rj
YTMvZnVsbGNybGc0LmNybDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFL/3c9Qy
Zi3P/C8H5iHDPJUkHzyiMFoGA1UdIARTMFEwTwYMKwYBBAGB/AgDAgEBMD8wPQYI
KwYBBQUHAgEWMWh0dHBzOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BjcHAvY3Bz
L2luZGV4Lmh0bWwwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v
bmlpZzQub2NzcC5zZWNvbXRydXN0Lm5ldDAdBgNVHREEFjAUghJmd2xpYjEwMS5r
cHUuYWMuanAwDQYJKoZIhvcNAQELBQADggEBAIQ//2/ykIQTUz8t2BjvMFZW5nrS
zwGIeApARroHESA3+Mx+nbnfBBLkFqqIwcFnj5SzMGusDcHTNto4lntMiy2nEuxK
dkXMrsiY5XxPyW0LOzp/4K6bTPdPFSEgjRrSQYcQB4nwiaO8kliE2MIzbEeX34iK
z0qjasurbDaVhXinwEeJ9xP9FEAZY3WJ5oomMEWqKenmfNYty87g5Eqrzh9kg9tx
BPbCJ7JALF3EDnicUmlBglLhy7CPuO7XX1bV2RtE7Twv/Fp3KKBOXCLEvk/BSsw0
2Bwv2eEmf39n9CYoquCpWNF6fOMXpKs8b5KRkci2Ymv7VVIRpxz3hkgN6JU=
-----END CERTIFICATE-----
Thank you for your reply and status update.

(In reply to Hisashi Kamo from comment #3)
> 5)
> Although the strict procedures are stipulated as a total verification
> procedure, there are variations in the skill of RA members for checking
> details of CSR (recognition of usable characters), and then this mistake was
> made.

Can you please describe more about the process for how information is entered in to your system and how it is verified?

That is, it might be useful to use a certificate such as https://crt.sh/?id=198301534 as an example, analyzing how every piece of information was validated, how the request was received, etc. By analyzing this whole process (from request to issuance - and if request is reusing information, from the very first request), and sharing those details publicly, we can better understand the system, the existing checks, and how to mitigate in the future.

I highlight this, as your process (based on the answer below) seems to rely heavily on human factors to detect these issues. Understanding where and how these human factors play in to the validation of different pieces of information help the community understand whether, for example, a human factor can lead to an improperly issued domain. Understanding what elements of the certificate humans are responsible for entering or reviewing and what secondary controls exist (e.g. are there technical controls? Does it require a second review from another RA? Are there other procedural mitigations?) can help the community understand both the risk and the context of the proposed mitigations.

> 
> 6)
> 1. Detailed description for the manual and awareness raising to prevent this
> problem.
> 2. Enhanced education and to be more sensitive for RA members.
> This will be implemented thoroughly while presenting NG cases.

Can you explain how operations 1 and 2 are different? That is, it seems like you'll be updating a manual and then informing your RA staff you've updated the manual?

> 3. Technical measure for check to prevent this kind of problem.
>    (Rejecting issuance by system in case of nonstandard character string)
> Regarding the timeline, we are planning to build the technical measure in
> January 2018.

Could you explain and share further detail about why this will take until January 2018? That is, is it a question of prioritization? If so, what are the competing priorities. Is it a question of development schedules? If so, what happens if there's a misissuance that poses greater security risk - how quickly can those mitigations be deployed?

Understanding why it would take 4 months is useful to understand how well, organizationally, the CA is prepared to respond to issues.

> We will implement countermeasures for the operations 1 and 2 to prevent
> recurrence until that time.
> 
> 7)
> We will update according to the progress of the situation.

When do you expect Operations 1 and 2 to be completed?
Flags: needinfo?(h-kamo)
Dear Ryan-san,

We decided to deal with the system instead of covering with operations.
We are going to measure technically to prevent issuing more certificates.

The completion goal of this treatment is in September.
The meeting with the customer will be held next week.
Flags: needinfo?(h-kamo)
Attempting to summarize all the information to date:

1) Certificates with meta-data only subject fields
  - See Comment #0, Comment #3, Comment #6
  - Remediations:
    - 2017-08-25 - Updated training materials specific to this problem (See Comment #3)
    - 2017-09-XX - Automated technical controls (See Comment #6; Originally scheduled for 2018-01 per Comment #3)

Is that a correct summary? That is, are you moving forward your original estimate of 2018-01 to 2017-09?

I'm uncertain what Comment #6 means with respect to meeting with the customer. https://crt.sh/?id=6274915 indicates it's operated by SECOM (e.g. it's not an externally operated sub-CA). What customer is this?

I note a number of questions in Comment #5 are not addressed in Comment #6, but I believe they still are relevant, despite Comment #6.
Flags: needinfo?(h-kamo)
Dear Ryan-san,

Let us answers as below.

> Is that a correct summary? That is, are you moving forward your original estimate of 2018-01 to 2017-09?

Yes, that is correct.
We decided to implement it technically than to rely on human operation and target to release is in September.

> operated by SECOM (e.g. it's not an externally operated sub-CA). What customer is this?

Customer is NII.
NII(National Institute of Informatics) is an academic information agency that manages the whole universities in Japan.
SSL/ TLS certificates are issued limited to academic organizations registered in the administrative list of the Ministry of Education, Culture, Sports, Science and Technology.
(1) The namespaces to be issued are limited (issued only to academic organizations recognized by the Ministry of Education, Culture, Sports, Science and Technology)
(2) Certificates are issued only to organizations corresponding to domains of issued certificates.
NII is carrying out as part of RA of internally operated sub-CA.
There is a contractual relationship with us, and then it was described as customer. Sorry for the confused expression.

> Can you please describe more about the process for how information is entered in to your system and how it is verified?

RA is implemented with operational and technical framework, and CSR check is carried out by human operation.
Human operation/ technical verification and process are as follows.
Subscribers submit application by using Web application system implementing client authentication.
In addition to verify the existence of the academic organization, the domain information, the identity of the subscriber, and CSR check is conducted.
Regarding human operation, registration staff conducts CSR check.
In technically, it is verified for the existence of the academic organization, the domain information, and the the identity of the subscriber, but we decided now to comply with the system because the CSR check error depends on the human was occurred.
Initially, with a view to further improving the quality of the system, we planned to implement it in January 2018 after placing sufficient time for planning and testing. 
However, we decided that it is urgent and important to systemize the CSR check without human intervention, and we have a plan to deal with it during September.

> Can you explain how operations 1 and 2 are different? That is, it seems like you'll be updating a manual and then informing your RA staff you've updated the manual?

As you mentioned, there is no difference between 1 and 2.

> Could you explain and share further detail about why this will take until January 2018?

Same as above.
Initially, with a view to further improving the quality of the system, we planned to implement it in January 2018 after placing sufficient time for planning and testing. 
However, we decided that it is urgent and important to systemize the CSR check without human intervention, and we have a plan to deal with it during September.

> When do you expect Operations 1 and 2 to be completed?

It was already thoroughly announced to the RA members as contents of this error as a reminder.
Flags: needinfo?(h-kamo)
Let us update as follows.

> However, we decided that it is urgent and important to systemize the CSR check without human intervention, and we have a plan to deal with it during September.

Although we are dedicated to systematization, let us change the release date to the week of September 23.

Best regards,
Hisashi Kamo
I apologize for wrong information at the previous comment9.

> Although we are dedicated to systematization, let us change the release date to the week of September 23.
It was intended for the week of October 23, not the week of September 23.

Now, let us inform you that our target release date will be October 24.

Best regards,
Hisashi Kamo
Let us inform you that the treatment was released today, October 24.

Best regards,
Hisashi Kamo
It appears that all actions have been completed, so I am marking this issue resolved.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.