Closed Bug 1391064 Opened 7 years ago Closed 7 years ago

SECOM: Non-BR-Compliant Certificate Issuance

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: h-kamo)

References

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

The following problems have been found in certificates issued by your CA, and reported in the mozilla.dev.security.policy forum. Direct links to those discussions are provided for your convenience. To continue inclusion of your CA’s root certificates in Mozilla’s Root Store, you must respond in this bug to provide the following information: 1) How your CA first became aware of the problems listed below (e.g. via a Problem Report, via the discussion in mozilla.dev.security.policy, or via this Bugzilla Bug), and the date. 2) Prompt confirmation that your CA has stopped issuing TLS/SSL certificates with the problems listed below. 3) Complete list of certificates that your CA finds with each of the listed issues during the remediation process. The recommended way to handle this is to ensure each certificate is logged to CT and then attach a CSV file/spreadsheet of the fingerprints or crt.sh IDs, with one list per distinct problem. 4) Summary of the problematic certificates. For each problem listed below: number of certs, date first and last certs with that problem were issued. 5) Explanation about how and why the mistakes were made, and not caught and fixed earlier. 6) List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. 7) Regular updates to confirm when those steps have been completed. Note Section 4.9.1.1 of the CA/Browser Forum’s Baseline Requirements, which states: “The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: … 9. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement; 10. The CA determines that any of the information appearing in the Certificate is inaccurate or misleading; … 14. Revocation is required by the CA’s Certificate Policy and/or Certification Practice Statement; or 15. The technical content or format of the Certificate presents an unacceptable risk to Application Software Suppliers or Relying Parties (e.g. the CA/Browser Forum might determine that a deprecated cryptographic/signature algorithm or key size presents an unacceptable risk and that such Certificates should be revoked and replaced by CAs within a given period of time). However, it is not our intent to introduce additional problems by forcing the immediate revocation of certificates that are not BR compliant when they do not pose an urgent security concern. Therefore, we request that your CA perform careful analysis of the situation. If there is justification to not revoke the problematic certificates, then explain those reasons and provide a timeline for when the bulks of the certificates will expire or be revoked/replaced. We expect that your forthcoming audit statements will indicate the findings of these problems. If your CA will not be revoking the certificates within 24 hours in accordance with the BRs, then that will also need to be listed as a finding in your CA’s BR audit statement. We expect that your CA will work with your auditor (and supervisory body, as appropriate) and the Root Store(s) that your CA participates in to ensure your analysis of the risk and plan of remediation is acceptable. If your CA will not be revoking the problematic certificates as required by the BRs, then we recommend that you also contact the other root programs that your CA participates in to acknowledge this non-compliance and discuss what expectations their Root Programs have with respect to these certificates. The problems reported for your CA in the mozilla.dev.security.policy forum are as follows: ** Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case.
Dear Kathleen-san, Thank you for the notice. We are now contacting the customer and also going to undertake technical measure to avoid this kind of error in the future.
Greetings. It has been one week, and no answer to the above matters has been provided. When can we expect an update from SECOM on each of the items listed, 1-7, in Comment #0?
We apologize for delay. Let us update for items 1) to 7). 1) We aware of the problem via the discussion in mozilla.dev.security.policy on August 16, and via this Bugzilla Bug on August 17. 2) We will confirm to stop the further issuance of certificates with this problem. 3) 27300E0A50486C9E -----BEGIN CERTIFICATE----- MIIE/TCCA+WgAwIBAgIIJzAOClBIbJ4wDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB IC0gRzQwHhcNMTYwOTEzMDkwNzE4WhcNMTgxMDE0MDkwNzE4WjCBkDELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI BgNVBAsTAS0xHjAcBgNVBAMTFW1haWwubWVkLnVvZWgtdS5hYy5qcDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALI4lNHmUdIAgBOGFoIg4Zx0ZFanaZUL f7E1czUMaKLh6fhmW5uuOtEu8kynX0ongoRPWOJA2eDPW66zTY8b/6EAreOFmarv 7Fq8eanjScInP+qzFphDxbhLZqhIOS/KhW6HufyTNkH+azXLFO/wVSs0pJDMWSt7 AMhUROkxia8DMX7qA1DKyxXIStl024iyVCHonf/c/vAx6zHB652P6PdG6SX6/rGl iOzU7qFyuYf1PbBk0ec6nfT19IpzeQEzChbW36kPHTGabIZDJAPlBmoiu30JMOeW MCDRJ8FBSO6gikP5lGzbwFPI9YVg2ejkCx3Z6utUUra/zLvyTbJ8eDMCAwEAAaOC AXswggF3MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAW gBQZC285HzEDNF/k0kAfN+aN52I5fDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8v cmVwbzEuc2Vjb210cnVzdC5uZXQvc3BwY2EvbmlpL29kY2EzL2Z1bGxjcmxnNC5j cmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQKu5Ad+cIFQxqJgwLL9zXsOare zDBaBgNVHSAEUzBRME8GDCsGAQQBgfwIAwIBATA/MD0GCCsGAQUFBwIBFjFodHRw czovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3BwL2Nwcy9pbmRleC5odG1sMDwG CCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL25paWc0Lm9jc3Auc2Vj b210cnVzdC5uZXQwIAYDVR0RBBkwF4IVbWFpbC5tZWQudW9laC11LmFjLmpwMA0G CSqGSIb3DQEBCwUAA4IBAQAzl6UQixzazheSwqiEdGsMer/Ud1huu+f62lhJGoSm Dx0oDlWGTuD3kf/OsU46cnT35ttSA1jRKmgiuQ/mw+8o+8qE4yDgW+hm26O60HTw cC8yeYwqJwipjoc7fCXiflY6qGcONnuicGVG7SmqsM+ZRXiLef0LYmtBxrVmjgiU juHPVud4N3eKbFlhyjgaCoaSIOzdVk2O2S9CSuZFMYqfj+4E+/x3aQ7MvY6NZaS0 VGuopAkQ5J9zq8WZVXSX6U7KNlZPeZP70/mtH3Y/VcClmW6galqU9R1GRP5QLZQP dtzwKJ69K+NfOxtKS6+z1XTWoJFRzip1Qcai2bAMdXAJ -----END CERTIFICATE----- 373EFC2527849B71 -----BEGIN CERTIFICATE----- MIIFEDCCA/igAwIBAgIINz78JSeEm3EwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB IC0gRzQwHhcNMTUwNjIyMDQ1NzA0WhcNMTcwNzIyMDQ1NzA0WjBgMQswCQYDVQQG EwJKUDEQMA4GA1UEBxMHQWNhZGVtZTEYMBYGA1UEChMPU2FnYSBVbml2ZXJzaXR5 MQowCAYDVQQLEwEuMRkwFwYDVQQDExB3d3cuc2FnYS11LmFjLmpwMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1EtP0H7LJCKYMBkdA6n0QA0x6dxOu1ao w+0+sSTq9mMyCocKohPrLUaKHCAyZQFKFntIDmmemtPtSjVYA1Pi7uycmJlj8EFy nZCOVpT2zR9kdaynhRNa0wwASHdRDB8gflHOlJrERL6U8xeLOV9IEPYLRkG8JKHB Vx4FiYRXd760zZmlXfdGdagDxBLqo6RL9Ukq9GbvRhWbKpQcC5w6IR/rhzVSwmDm i/8DX5Y7AzThHeK3DYuFMfVyidHfajmVT2UYQRBgj/Hq3zCoCmJRLEngw9zaW+5a J410dddMR9M2oKBUwOC7g2/bkMG9lEsb+4PfJ2yhZDQpWvC0BRbf1QIDAQABo4IB vzCCAbswHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaA FBkLbzkfMQM0X+TSQB835o3nYjl8MEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9y ZXBvMS5zZWNvbXRydXN0Lm5ldC9zcHBjYS9uaWkvb2RjYTMvZnVsbGNybGc0LmNy bDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFByQvPnblLRJzBiY2q9RVMkXOzE1 MFoGA1UdIARTMFEwTwYMKwYBBAGB/AgDAgEBMD8wPQYIKwYBBQUHAgEWMWh0dHBz Oi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BjcHAvY3BzL2luZGV4Lmh0bWwwPAYI KwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vbmlpZzQub2NzcC5zZWNv bXRydXN0Lm5ldDBkBgNVHREEXTBbghB3d3cuc2FnYS11LmFjLmpwghR3d3cuc2Fv LnNhZ2EtdS5hYy5qcIIZd3d3LnNjLmFkbWluLnNhZ2EtdS5hYy5qcIIWd3d3LnN1 aGNjLnNhZ2EtdS5hYy5qcDANBgkqhkiG9w0BAQsFAAOCAQEAIEzT43YvfGghwJGv s38pH3kYKwEeA71KW0k3ER4tDUNOOkt4r/RhcURAqYTm0qouGYra8Aip+8equziV BdxHy7Y22sj2M2wdj18yAvO00Ujg9Fh8CAdJdQOVpnUQ7KzqlNPSdu9xdLm5/6NS iy09SO0pdTZm+x9649pzlYDD2EsomUHbSmvfzGSv0Tjj0OQEVvyCTGsu4n1AsOzM 70pHR5/Bv0YgIMiOYe9K8EBjBjSD9VQA4ogohE6nvv1q8NhMnAcAcVbI+lqtoUaU D+sR1WWXpPF1VsIgvI1IJzqqgbI8e1TJBxrej62zcLXwBVaYiCQzfTB2gdv74X8a 7HRhRg== -----END CERTIFICATE----- 4EB686367A460484 -----BEGIN CERTIFICATE----- MIIFBTCCA+2gAwIBAgIITraGNnpGBIQwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB IC0gRzQwHhcNMTcwMjE0MDUzMjMwWhcNMTkwMzE3MDUzMjMwWjCBlDELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI BgNVBAsTAS0xIjAgBgNVBAMTGXMycHViYWRmLnB1Yi51b2VoLXUuYWMuanAwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcVIHpbCyQemPFbAz0hcPz5Ixw QYOhV7a/Xe0O+ypq7LDWqECBRv5mh522ZiuTDCXcuTHtVI3gidKZA9ZExaCcmtbh fQyGG/of/swhnFj69Djvmi6NGU8m34YT5KPWLs96sd25xdDXxzuAn6IwfsGEx8Tq 7Gk5k+jkU48/GA8350oL3w3z3SsGEEbLx6tZnxeCIOZ5Hp32HkjPkRNKA0/7cn1r 2RCDce1557bcDGzsebX+OaWnvcs3GAR946D+RX8hjj6gE2FIOMAEeePGx9Y40V30 G6NHrd6w6+5RIY1wmi8ABK2Fqki8Fhg32mOtgaOhajLPgLkfoiSZske/D0fTAgMB AAGjggF/MIIBezAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0j BBgwFoAUGQtvOR8xAzRf5NJAHzfmjediOXwwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0 cDovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwcGNhL25paS9vZGNhMy9mdWxsY3Js ZzQuY3JsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUlr3OxS9eJkW1Ll3jgrAf dPE/GxowWgYDVR0gBFMwUTBPBgwrBgEEAYH8CAMCAQEwPzA9BggrBgEFBQcCARYx aHR0cHM6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9jcHMvaW5kZXguaHRt bDA8BggrBgEFBQcBAQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9uaWlnNC5vY3Nw LnNlY29tdHJ1c3QubmV0MCQGA1UdEQQdMBuCGXMycHViYWRmLnB1Yi51b2VoLXUu YWMuanAwDQYJKoZIhvcNAQELBQADggEBAEhkpPcYpHFPk3wsW7Y7mzQUhMFCotRC 320qoYzsnvApUbRUJ2O2hGbWUcJdGOzuZqXHnDTrVfbDHSxLyex4gfAp8s4lSwJf 1Sz2JR3FSBIcYcOCX7pC5ngCYp487ggTZvm8N2y74B6Ef8fkmQb1kkWXjj4i3/1Q qDRygT4kMf/EXPrgNpxqaCLQUY6kYYhbuTqnkCAyqFlrKx4BqZ8i43dI2f4mamok 69wSeIrVbVTOd+tVZCQze4bKEEUjFkZVNP1N6skP4UrT8ln6aM6WybSyQoN2Zpoa JD8C5s2O/SU/E5UNcV7u3EV1IWzrkEol8mA822odCJiuc8/2SBe+5qE= -----END CERTIFICATE----- 5FC1415746FF9634 -----BEGIN CERTIFICATE----- MIIE2DCCA8CgAwIBAgIIX8FBV0b/ljQwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB IC0gRzQwHhcNMTYwMzI4MDIyNzI1WhcNMTgwNDI4MDIyNzI1WjBvMQswCQYDVQQG EwJKUDEQMA4GA1UEBxMHQWNhZGVtZTElMCMGA1UEChMcS3lvdG8gUHJlZmVjdHVy YWwgVW5pdmVyc2l0eTEKMAgGA1UECxMBLjEbMBkGA1UEAxMSZndsaWIxMDEua3B1 LmFjLmpwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuikyh0EOCUFM 5QLP1y7e4J5Tt5fEAbiO29gEekeFZCx72Pf2xEBU7HC9ToRTA55ETipI4gIfw1cC dnhkAdE3xet8XvGhkM56KjtRlnYwEAMiYBRbVFjePuVxYWhjargAJOKAT62weiIJ b3FWIw/jhsW/8UC0LfxlYFIPDOcQL8Cyt41+otht3Sl+oPCaOU4F0cKAqAcdMkx5 K0LdZuMRQHyCzaxmLwr9TAaMU08qOMhdaq34MLase IaQrWFF/WR8Sali3kGg6fFuG1A bYkmPulFkhcb8C03gyBL2WohyyYMMf8JDfRPUQWhlfQQ2pRjy5+B5JwaBjDLM0c2 e57Z8jWEwwIDAQABo4IBeDCCAXQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMB8GA1UdIwQYMBaAFBkLbzkfMQM0X+TSQB835o3nYjl8MEoGA1UdHwRDMEEw P6A9oDuGOWh0dHA6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcHBjYS9uaWkvb2Rj YTMvZnVsbGNybGc0LmNybDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFL/3c9Qy Zi3P/C8H5iHDPJUkHzyiMFoGA1UdIARTMFEwTwYMKwYBBAGB/AgDAgEBMD8wPQYI KwYBBQUHAgEWMWh0dHBzOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BjcHAvY3Bz L2luZGV4Lmh0bWwwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v bmlpZzQub2NzcC5zZWNvbXRydXN0Lm5ldDAdBgNVHREEFjAUghJmd2xpYjEwMS5r cHUuYWMuanAwDQYJKoZIhvcNAQELBQADggEBAIQ//2/ykIQTUz8t2BjvMFZW5nrS zwGIeApARroHESA3+Mx+nbnfBBLkFqqIwcFnj5SzMGusDcHTNto4lntMiy2nEuxK dkXMrsiY5XxPyW0LOzp/4K6bTPdPFSEgjRrSQYcQB4nwiaO8kliE2MIzbEeX34iK z0qjasurbDaVhXinwEeJ9xP9FEAZY3WJ5oomMEWqKenmfNYty87g5Eqrzh9kg9tx BPbCJ7JALF3EDnicUmlBglLhy7CPuO7XX1bV2RtE7Twv/Fp3KKBOXCLEvk/BSsw0 2Bwv2eEmf39n9CYoquCpWNF6fOMXpKs8b5KRkci2Ymv7VVIRpxz3hkgN6JU= -----END CERTIFICATE----- 614CF312272907F0 -----BEGIN CERTIFICATE----- MIIE8zCCA9ugAwIBAgIIYUzzEicpB/AwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB IC0gRzQwHhcNMTYwOTA3MTAyMjE3WhcNMTgxMDA4MTAyMjE3WjCBizELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI BgNVBAsTAS0xGTAXBgNVBAMTEHd3dy51b2VoLXUuYWMuanAwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDWIRgbIf+0BP0kzNZu31ZrRVBpnq+KGeiI9q50 moOKrYBp7aMKu86Q+Uy2Sbk+1RLebhbQnaZ1TqLOAT3zo95mHAK3sxhHf/9LSPva OvHPhVTX1nLz7HiRYe5BE37+hlvt1/raxJwi7Jbb0+eL0leL1/9OQdE5JTzWN0q0 utMnT6J5SZdtOM6EVhRcEIByNE4vTUoGxm0pPyg0uLmIV9Yh3b7/XovPrn3LKwj4 lp744hL0a9VIcRCtmuG5nPU25YgFFeR8XbQawx9deqpQPdEcPgyjj9wUfD1O0h6a ydqZiE8t30eXxMmz/0CM71QwV9pw+JaL+YIzoo8lAzmpG3YrAgMBAAGjggF2MIIB cjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUGQtv OR8xAzRf5NJAHzfmjediOXwwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3JlcG8x LnNlY29tdHJ1c3QubmV0L3NwcGNhL25paS9vZGNhMy9mdWxsY3JsZzQuY3JsMA4G A1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUs1PcP34TpQ+kuBT0nDrhfgyY3oAwWgYD VR0gBFMwUTBPBgwrBgEEAYH8CAMCAQEwPzA9BggrBgEFBQcCARYxaHR0cHM6Ly9y ZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9jcHMvaW5kZXguaHRtbDA8BggrBgEF BQcBAQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9uaWlnNC5vY3NwLnNlY29tdHJ1 c3QubmV0MBsGA1UdEQQUMBKCEHd3dy51b2VoLXUuYWMuanAwDQYJKoZIhvcNAQEL BQADggEBADP4dQQe32TY/pTC3uheCQ4d4lj2zJuKZVPIHG1Znv5YIqjo7rAuV6ah s6t+DL54DfKc1hjDw5Kgq2XNFsk8v/e2wQuHI4ucMxswhXECgtQqGwvAmW7S2aY7 QTg4SGyWaBcwB1D1JCIHaDfkJ5NYpojCAX8I4016cRnk41qtbecV5hMXLrRax7GZ 49PEFZoN4xLqW1b7y8xtXJaSdO1LLCnwH4HfQdPBEDqCWqnGeJpdTx9mw9Igx1sp 5XJK4gbVs8+SMD6PpSgR5q0esKh7itvjcyzl1PTurfXh/ogQuRQoFOHTqKr2qKlk 7seHW+siEU14MOUi4Ac2jlKvBShoQMA= -----END CERTIFICATE----- 6CB2E1EBCBC9D1CD -----BEGIN CERTIFICATE----- MIIFBTCCA+2gAwIBAgIIbLLh68vJ0c0wDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB IC0gRzQwHhcNMTcwMjIyMTEzODU4WhcNMTkwMzI1MTEzODU4WjCBlDELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI BgNVBAsTAS0xIjAgBgNVBAMTGXMycHViYWRmLnB1Yi51b2VoLXUuYWMuanAwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+plI1oOgjMsg+qwJDHnFVIJdy VdvUqBvvUbNZVxtHYScg3U+gikud8KKdIfiD63upaEIgZgDtAE/DRD3kvpqDjGaS V0T1P7jpKO8S+KGXcwC7Owl0zpmwcUhUZDpIekidgRXfTsQggMZdKDAeNSLOxZoZ y6+e2RexAaSSVCaP0RCmf4hcAnBaOWfBFfNIoroc8cTXzZAqSHycK31vpRY0oEph alIX63oXDpuH1F6HuAoSvFzhO0clfZ8/kD41+UxduWCPfgcsTRXEw/1UVPnJ9Vek TytSph2zqi1bLiYCyn5WUT07XtDAieBOFO0XORH5xmRW77vvKGsQNNBGZUEtAgMB AAGjggF/MIIBezAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0j BBgwFoAUGQtvOR8xAzRf5NJAHzfmjediOXwwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0 cDovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwcGNhL25paS9vZGNhMy9mdWxsY3Js ZzQuY3JsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUK0WBw7ztKVNFLshfU08w sBeKqvQwWgYDVR0gBFMwUTBPBgwrBgEEAYH8CAMCAQEwPzA9BggrBgEFBQcCARYx aHR0cHM6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9jcHMvaW5kZXguaHRt bDA8BggrBgEFBQcBAQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9uaWlnNC5vY3Nw LnNlY29tdHJ1c3QubmV0MCQGA1UdEQQdMBuCGXMycHViYWRmLnB1Yi51b2VoLXUu YWMuanAwDQYJKoZIhvcNAQELBQADggEBAGDO32atFPWS6eTufuRbC4WJmDeH23Sr kJm6awPiLdttg0cvyWty6d6UcJ23hoYzv88EGtSWShmemnJDTAi6E2IYufT4bqp0 kULNwXPJp44H/oPVaBr33tcGY5ryrToTygg2O50E2tQFb4N7kt4Eghf96mss4u4v XSBMotcy6tnva5IayVoYjfwVAJ3NntMS6ypkp+Wtnl4uTp5/gXiyEQ8Tv47+jwXo t8IEb1CMw9ep2Sh7yg1xu7aTJPzN188u7QkyT3Q0vTyUJ4SYGOMiuj21bngqMI9+ 1JouW0mLRs7xUqtiNcoDTOH+olIgqBPxYYuNpvrghmogkWg1wfxwOXk= -----END CERTIFICATE----- 764589145D04A048 -----BEGIN CERTIFICATE----- MIIE/zCCA+egAwIBAgIIdkWJFF0EoEgwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB IC0gRzQwHhcNMTYxMjA5MDczNzI4WhcNMTkwMTA5MDczNzI4WjCBkTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI BgNVBAsTAS0xHzAdBgNVBAMTFnJhc2luLm1lZC51b2VoLXUuYWMuanAwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpZKkM2qQvjLZOGVKzFmlMJML37Pz7 aAuyaWezNO9xEjFvf/SozTW9hPclvE14L9Yg/cuObe/bNchjSgL5CGVh0PGlOpud uGVKu/10wClpboMGoYrE1Rt1CNXz/hbR0H4IVgMTVlvXnVT9TJxG0CsE7bGhSCzo KNABsPH3yjYTymh/Qsg8CkCStTjoc4ywHJJ5uiVjuIxfgLoQ6yYCVA2PlqhabxcJ aLb/ML7KledtYwLHQFmXM+HMG1PFKbAWZY0H94n4lUw/cducI78OFRzNq2Sv5xKq hlTwT+zY6sKmE0pshvz5hzA0qiUbqgSvGjRuy6TrhflC1Ez4bZiHE5R/AgMBAAGj ggF8MIIBeDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgw FoAUGQtvOR8xAzRf5NJAHzfmjediOXwwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDov L3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwcGNhL25paS9vZGNhMy9mdWxsY3JsZzQu Y3JsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUUj9vlY5jHNlecCiCG8jeKCMr ZhUwWgYDVR0gBFMwUTBPBgwrBgEEAYH8CAMCAQEwPzA9BggrBgEFBQcCARYxaHR0 cHM6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9jcHMvaW5kZXguaHRtbDA8 BggrBgEFBQcBAQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9uaWlnNC5vY3NwLnNl Y29tdHJ1c3QubmV0MCEGA1UdEQQaMBiCFnJhc2luLm1lZC51b2VoLXUuYWMuanAw DQYJKoZIhvcNAQELBQADggEBAB/pROwS3IzHZlYljcoRc3ArOxsv8+zHSYD3uTAM S5VFxSMlRa+fM/hOGxZJGoAbNT+1chBuC5irikUglPIz8DzwIXN5zHChWqQqk46v IuwH9VErM2UD18UWmNgmxIu7/7XsOz2HxjA1cMmLCH9rmZW+JV3w8Wt8G/RGP+Zu e0cmonoaRrYgzoXLCR4X4YuRodlx8GtZXzCp6paFh6EJZAo5+ZicTesMMe1/bJyG VM8a9mEUWEJ0i86a2fLdi/RYhDO1DGGDFTXUCsFNsnfaCoE4M9o0KZREEc3lm1Zm HyZbvRWiMXbdGQNSEMyH1TbzUvbgvX0bC7mxXGXu9roU+RI= -----END CERTIFICATE----- 7C5667B49DB30931 -----BEGIN CERTIFICATE----- MIIEzjCCA7agAwIBAgIIfFZntJ2zCTEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB IC0gRzQwHhcNMTYwNTE5MDQxNzE5WhcNMTgwNjE5MDQxNzE5WjBqMQswCQYDVQQG EwJKUDEQMA4GA1UEBxMHQWNhZGVtZTElMCMGA1UEChMcS3lvdG8gUHJlZmVjdHVy YWwgVW5pdmVyc2l0eTEKMAgGA1UECxMBLjEWMBQGA1UEAxMNdnBuLmtwdS5hYy5q cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANlXlUnvkcT8omhZbVne RKQcd1DQJ9OXgqNfjyjQLrAI4ue52359JrpGbR0V2A//8xLG0SifX7Xy5208nHYK ms6CNhDrMDYmfcVGXYpJGQpkn7m8YABhcfA4QWLHz5XHkzF1kli86N6+RtOEMVGr EhUJ9aBjd7ipmAyxYFIu6vI4LeGUK9LfzWmz8RknX9hDRVZPj7jR6gNlq/7vG2ZR 3xFJRHkOFsKEMOh6nW1Y0H0abl1gCHBoH41iEoHvwFH86iz7gW79MfiAarKyhXVg VrRVtYEuhXVL2MNfttzODz9SwWmeWMOiqMj15R6xr48G3ANFNCGQTyPrdAVhxZyH ErUCAwEAAaOCAXMwggFvMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAf BgNVHSMEGDAWgBQZC285HzEDNF/k0kAfN+aN52I5fDBKBgNVHR8EQzBBMD+gPaA7 hjlodHRwOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BwY2EvbmlpL29kY2EzL2Z1 bGxjcmxnNC5jcmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQJzgQYOD8sjSoc 23IrZGerhFkrnjBaBgNVHSAEUzBRME8GDCsGAQQBgfwIAwIBATA/MD0GCCsGAQUF BwIBFjFodHRwczovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3BwL2Nwcy9pbmRl eC5odG1sMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL25paWc0 Lm9jc3Auc2Vjb210cnVzdC5uZXQwGAYDVR0RBBEwD4INdnBuLmtwdS5hYy5qcDAN BgkqhkiG9w0BAQsFAAOCAQEAI4+9/vx3mFDelwEyUgObwc9mSsnW6D5C7mulP33l XGHGFvEZ/wlrR4QTZOd+E9FQ1p2lKER5GI70UqmQkGu8n+R+0Z8IBv/kMGi7y/Z3 2lpAfTQxUCYdLOPvbUfQCNraGhsmeHt0+bPp7WbcloVjR5WtjXpzVBIKreQVAC1d L4igNbhw6PY1r52Cns6jTwC+a9sk1i9hXSjoskcGzr8IvLCTIwnTiDgM2x4uCk5n cQ4IjvKAdTQNP14BisQafDc8HDwtu60GxGFIQzLs7FGFu/h52ztSzqRaeLmxJS0i cou2o16I5Xig0mtziMlFTvU/m+C2vu1fz8KyrFlvdkdJbg== -----END CERTIFICATE----- 7C95E5344C0D83AF -----BEGIN CERTIFICATE----- MIIE/TCCA+WgAwIBAgIIfJXlNEwNg68wDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB IC0gRzQwHhcNMTcwMjIyMDcyMjQ0WhcNMTkwMzI1MDcyMjQ0WjCBkDELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxQzBBBgNVBAoTOlVuaXZlcnNpdHkgb2Yg T2NjdXBhdGlvbmFsIGFuZCBFbnZpcm9ubWVudGFsIEhlYWx0aCxKYXBhbi4xCjAI BgNVBAsTAS0xHjAcBgNVBAMTFXMycHViYWRmLnVvZWgtdS5hYy5qcDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6mUjWg6CMyyD6rAkMecVUgl3JV29So G+9Rs1lXG0dhJyDdT6CKS53wop0h+IPre6loQiBmAO0AT8NEPeS+moOMZpJXRPU/ uOko7xL4oZdzALs7CXTOmbBxSFRkOkh6SJ2BFd9OxCCAxl0oMB41Is7FmhnLr57Z F7EBpJJUJo/REKZ/iFwCcFo5Z8EV80iiuhzxxNfNkCpIfJwrfW+lFjSgSmFqUhfr ehcOm4fUXoe4ChK8XOE7RyV9nz+QPjX5TF25YI9+ByxNFcTD/VRU+cn1V6RPK1Km HbOqLVsuJgLKflZRPTte0MCJ4E4U7Rc5EfnGZFbvu+8oaxA00EZlQS0CAwEAAaOC AXswggF3MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAW gBQZC285HzEDNF/k0kAfN+aN52I5fDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8v cmVwbzEuc2Vjb210cnVzdC5uZXQvc3BwY2EvbmlpL29kY2EzL2Z1bGxjcmxnNC5j cmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQrRYHDvO0pU0UuyF9TTzCwF4qq 9DBaBgNVHSAEUzBRME8GDCsGAQQBgfwIAwIBATA/MD0GCCsGAQUFBwIBFjFodHRw czovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3BwL2Nwcy9pbmRleC5odG1sMDwG CCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL25paWc0Lm9jc3Auc2Vj b210cnVzdC5uZXQwIAYDVR0RBBkwF4IVczJwdWJhZGYudW9laC11LmFjLmpwMA0G CSqGSIb3DQEBCwUAA4IBAQAndxjLPgg5/rckyXpWABViVvAGW5NgmFu2irUKr/pr +qH0up5YgFPUDoxHdCGT68cH7LrawhEfHL1b8+HDrLuWj2SEEXqgnP0lXk2atqCz vXR++Pnd25TOXroxYeycfNH61f8HD8fmDjTdczR1uesgxpEMgXK4yN33yX7so+Z2 s1mT9Ayh+1N5m9IjQtFxayVKXbDI9OLYSBZG9jDkG73+qXRuzk4bnjk2unZMAZrQ YIQLxQZWf5+4lziuJXrG4NSHp7iurRoEKo5+VNi7j6/wAOSSxIDNa+kUbyDlRdoS 2xO0qajVrqNykpTHQMVQ/UfNxrmONvgrhhhF05okWiyW -----END CERTIFICATE----- 4) We have found nine certificates whose subject DN has an attribute with metadata as its value. The last one was issued on 2017-02-22. While one is already expired, eight certificates are still valid. The last one will expire on 2019-03-17. All nine certificates have problem in OU. We have not found certificates with other attribute(s) with metadata as its/their value. Six certificates have '-', three certificates have '.'. We have not found any certificates whose subject DN has attribute(s) with a single space character ' '. 5) Although the strict procedures are stipulated as a total verification procedure, there are variations in the skill of RA members for checking details of CSR (recognition of usable characters), and then this mistake was made. 6) 1. Detailed description for the manual and awareness raising to prevent this problem. 2. Enhanced education and to be more sensitive for RA members. This will be implemented thoroughly while presenting NG cases. 3. Technical measure for check to prevent this kind of problem. (Rejecting issuance by system in case of nonstandard character string) Regarding the timeline, we are planning to build the technical measure in January 2018. We will implement countermeasures for the operations 1 and 2 to prevent recurrence until that time. 7) We will update according to the progress of the situation. Thank you for your consideration.
The fourth certificate was broken. It should be the following (11th line had excess "ASE " in the middle): -----BEGIN CERTIFICATE----- MIIE2DCCA8CgAwIBAgIIX8FBV0b/ljQwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UE BhMCSlAxEDAOBgNVBAcTB0FjYWRlbWUxKjAoBgNVBAoTIU5hdGlvbmFsIEluc3Rp dHV0ZSBvZiBJbmZvcm1hdGljczEgMB4GA1UEAxMXTklJIE9wZW4gRG9tYWluIENB IC0gRzQwHhcNMTYwMzI4MDIyNzI1WhcNMTgwNDI4MDIyNzI1WjBvMQswCQYDVQQG EwJKUDEQMA4GA1UEBxMHQWNhZGVtZTElMCMGA1UEChMcS3lvdG8gUHJlZmVjdHVy YWwgVW5pdmVyc2l0eTEKMAgGA1UECxMBLjEbMBkGA1UEAxMSZndsaWIxMDEua3B1 LmFjLmpwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuikyh0EOCUFM 5QLP1y7e4J5Tt5fEAbiO29gEekeFZCx72Pf2xEBU7HC9ToRTA55ETipI4gIfw1cC dnhkAdE3xet8XvGhkM56KjtRlnYwEAMiYBRbVFjePuVxYWhjargAJOKAT62weiIJ b3FWIw/jhsW/8UC0LfxlYFIPDOcQL8Cyt41+otht3Sl+oPCaOU4F0cKAqAcdMkx5 K0LdZuMRQHyCzaxmLwr9TAaMU08qOMhdaq34MLIaQrWFF/WR8Sali3kGg6fFuG1A bYkmPulFkhcb8C03gyBL2WohyyYMMf8JDfRPUQWhlfQQ2pRjy5+B5JwaBjDLM0c2 e57Z8jWEwwIDAQABo4IBeDCCAXQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMB8GA1UdIwQYMBaAFBkLbzkfMQM0X+TSQB835o3nYjl8MEoGA1UdHwRDMEEw P6A9oDuGOWh0dHA6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcHBjYS9uaWkvb2Rj YTMvZnVsbGNybGc0LmNybDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFL/3c9Qy Zi3P/C8H5iHDPJUkHzyiMFoGA1UdIARTMFEwTwYMKwYBBAGB/AgDAgEBMD8wPQYI KwYBBQUHAgEWMWh0dHBzOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BjcHAvY3Bz L2luZGV4Lmh0bWwwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v bmlpZzQub2NzcC5zZWNvbXRydXN0Lm5ldDAdBgNVHREEFjAUghJmd2xpYjEwMS5r cHUuYWMuanAwDQYJKoZIhvcNAQELBQADggEBAIQ//2/ykIQTUz8t2BjvMFZW5nrS zwGIeApARroHESA3+Mx+nbnfBBLkFqqIwcFnj5SzMGusDcHTNto4lntMiy2nEuxK dkXMrsiY5XxPyW0LOzp/4K6bTPdPFSEgjRrSQYcQB4nwiaO8kliE2MIzbEeX34iK z0qjasurbDaVhXinwEeJ9xP9FEAZY3WJ5oomMEWqKenmfNYty87g5Eqrzh9kg9tx BPbCJ7JALF3EDnicUmlBglLhy7CPuO7XX1bV2RtE7Twv/Fp3KKBOXCLEvk/BSsw0 2Bwv2eEmf39n9CYoquCpWNF6fOMXpKs8b5KRkci2Ymv7VVIRpxz3hkgN6JU= -----END CERTIFICATE-----
Thank you for your reply and status update. (In reply to Hisashi Kamo from comment #3) > 5) > Although the strict procedures are stipulated as a total verification > procedure, there are variations in the skill of RA members for checking > details of CSR (recognition of usable characters), and then this mistake was > made. Can you please describe more about the process for how information is entered in to your system and how it is verified? That is, it might be useful to use a certificate such as https://crt.sh/?id=198301534 as an example, analyzing how every piece of information was validated, how the request was received, etc. By analyzing this whole process (from request to issuance - and if request is reusing information, from the very first request), and sharing those details publicly, we can better understand the system, the existing checks, and how to mitigate in the future. I highlight this, as your process (based on the answer below) seems to rely heavily on human factors to detect these issues. Understanding where and how these human factors play in to the validation of different pieces of information help the community understand whether, for example, a human factor can lead to an improperly issued domain. Understanding what elements of the certificate humans are responsible for entering or reviewing and what secondary controls exist (e.g. are there technical controls? Does it require a second review from another RA? Are there other procedural mitigations?) can help the community understand both the risk and the context of the proposed mitigations. > > 6) > 1. Detailed description for the manual and awareness raising to prevent this > problem. > 2. Enhanced education and to be more sensitive for RA members. > This will be implemented thoroughly while presenting NG cases. Can you explain how operations 1 and 2 are different? That is, it seems like you'll be updating a manual and then informing your RA staff you've updated the manual? > 3. Technical measure for check to prevent this kind of problem. > (Rejecting issuance by system in case of nonstandard character string) > Regarding the timeline, we are planning to build the technical measure in > January 2018. Could you explain and share further detail about why this will take until January 2018? That is, is it a question of prioritization? If so, what are the competing priorities. Is it a question of development schedules? If so, what happens if there's a misissuance that poses greater security risk - how quickly can those mitigations be deployed? Understanding why it would take 4 months is useful to understand how well, organizationally, the CA is prepared to respond to issues. > We will implement countermeasures for the operations 1 and 2 to prevent > recurrence until that time. > > 7) > We will update according to the progress of the situation. When do you expect Operations 1 and 2 to be completed?
Flags: needinfo?(h-kamo)
Dear Ryan-san, We decided to deal with the system instead of covering with operations. We are going to measure technically to prevent issuing more certificates. The completion goal of this treatment is in September. The meeting with the customer will be held next week.
Flags: needinfo?(h-kamo)
Attempting to summarize all the information to date: 1) Certificates with meta-data only subject fields - See Comment #0, Comment #3, Comment #6 - Remediations: - 2017-08-25 - Updated training materials specific to this problem (See Comment #3) - 2017-09-XX - Automated technical controls (See Comment #6; Originally scheduled for 2018-01 per Comment #3) Is that a correct summary? That is, are you moving forward your original estimate of 2018-01 to 2017-09? I'm uncertain what Comment #6 means with respect to meeting with the customer. https://crt.sh/?id=6274915 indicates it's operated by SECOM (e.g. it's not an externally operated sub-CA). What customer is this? I note a number of questions in Comment #5 are not addressed in Comment #6, but I believe they still are relevant, despite Comment #6.
Flags: needinfo?(h-kamo)
Dear Ryan-san, Let us answers as below. > Is that a correct summary? That is, are you moving forward your original estimate of 2018-01 to 2017-09? Yes, that is correct. We decided to implement it technically than to rely on human operation and target to release is in September. > operated by SECOM (e.g. it's not an externally operated sub-CA). What customer is this? Customer is NII. NII(National Institute of Informatics) is an academic information agency that manages the whole universities in Japan. SSL/ TLS certificates are issued limited to academic organizations registered in the administrative list of the Ministry of Education, Culture, Sports, Science and Technology. (1) The namespaces to be issued are limited (issued only to academic organizations recognized by the Ministry of Education, Culture, Sports, Science and Technology) (2) Certificates are issued only to organizations corresponding to domains of issued certificates. NII is carrying out as part of RA of internally operated sub-CA. There is a contractual relationship with us, and then it was described as customer. Sorry for the confused expression. > Can you please describe more about the process for how information is entered in to your system and how it is verified? RA is implemented with operational and technical framework, and CSR check is carried out by human operation. Human operation/ technical verification and process are as follows. Subscribers submit application by using Web application system implementing client authentication. In addition to verify the existence of the academic organization, the domain information, the identity of the subscriber, and CSR check is conducted. Regarding human operation, registration staff conducts CSR check. In technically, it is verified for the existence of the academic organization, the domain information, and the the identity of the subscriber, but we decided now to comply with the system because the CSR check error depends on the human was occurred. Initially, with a view to further improving the quality of the system, we planned to implement it in January 2018 after placing sufficient time for planning and testing. However, we decided that it is urgent and important to systemize the CSR check without human intervention, and we have a plan to deal with it during September. > Can you explain how operations 1 and 2 are different? That is, it seems like you'll be updating a manual and then informing your RA staff you've updated the manual? As you mentioned, there is no difference between 1 and 2. > Could you explain and share further detail about why this will take until January 2018? Same as above. Initially, with a view to further improving the quality of the system, we planned to implement it in January 2018 after placing sufficient time for planning and testing. However, we decided that it is urgent and important to systemize the CSR check without human intervention, and we have a plan to deal with it during September. > When do you expect Operations 1 and 2 to be completed? It was already thoroughly announced to the RA members as contents of this error as a reminder.
Flags: needinfo?(h-kamo)
Let us update as follows. > However, we decided that it is urgent and important to systemize the CSR check without human intervention, and we have a plan to deal with it during September. Although we are dedicated to systematization, let us change the release date to the week of September 23. Best regards, Hisashi Kamo
I apologize for wrong information at the previous comment9. > Although we are dedicated to systematization, let us change the release date to the week of September 23. It was intended for the week of October 23, not the week of September 23. Now, let us inform you that our target release date will be October 24. Best regards, Hisashi Kamo
Let us inform you that the treatment was released today, October 24. Best regards, Hisashi Kamo
It appears that all actions have been completed, so I am marking this issue resolved.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.