Closed
Bug 1397961
Opened 7 years ago
Closed 6 years ago
DigiCert / Justica: Invalid DNS names
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: jeremy.rowley)
References
Details
(Whiteboard: [ca-compliance] [dv-misissuance])
Attachments
(1 file)
1.40 MB,
application/pdf
|
Details |
This bug has been separated out from Bug #1389172 to request an incident report specific to this subCA. Justica a) Invalid DNS names - See Bug #1389172: Comments 3, 5, 6, 9 - Remediation - 2017-08-24 - CA patched (See Comment #9) For the problem listed above, please provide an incident report as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Updated•7 years ago
|
Flags: needinfo?(jeremy.rowley)
Comment 1•7 years ago
|
||
1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, via a discussion in mozilla.dev.security.policy, or via a Bugzilla bug), and the date. Sat 8/12/2017 8:58 PM via email to m.d.s.p. list from Jonathan Rudenberg 2. A timeline of the actions your CA took in response. Email to Sara Loja from Jeremy Rowley on Aug. 14, 2017 requesting that the Portuguese government revoke the certificate issued to servicos.justica.local. Certificate revoked on 8/15/2017. 3. Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem. Portuguese Government has indicated that it is not issuing certificates with .local. 4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. This was a single certificate, issued on Nov. 3, 2014. See https://crt.sh/?id=10620923 5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. See answer #4 above. 6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. At time of issuance, internal names were not prohibited. Portuguese Government unaware of BR 7.1.4.2.1 requiring revocation on or before 10/1/2016 7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. Communicating with CA representatives We are inviting CA operator to post its own Incident Report.
Comment 2•7 years ago
|
||
Ben: I'm sure it's obvious to you, but comment 1 is wholly inadequate as a root cause analysis. I hope the CA operator will provide better answers. Gerv
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(jeremy.rowley) → needinfo?(ben.wilson)
Comment 3•7 years ago
|
||
Ben: ping? Gerv
Comment 4•7 years ago
|
||
I'm reaching out to them. Meanwhile, as I said above, WRT root cause analysis, it's likely that .local wasn't prohibited when the certificate was issued but no one alerted them of this certificate until recently, and then the fact that they hadn't revoked on or before 10/1/2016 came into play under BR 7.1.4.2.1.
Flags: needinfo?(ben.wilson)
Comment 5•7 years ago
|
||
Justiça responded that they misinterpreted section 4.2.2. of the Baseline Requirements to mean that if the TLD was not registered or under consideration by ICANN that it could be used. They had been using a .local domain as reserved for internal networks (RFC 6762) because they thought it was ok. Nevertheless, following this incident, they installed a new CA for internal proposes, and they are in the process of replacing all internal certificates. They also noted that there are several sensitive applications that are used by several police forces that are taking some more time because of the number of involved persons/organizations and local calendar reasons, but that they are expecting to have all such certificates revoked by the 13th of October.
Comment 6•7 years ago
|
||
Here is the audit for Justiça, to whom I've responded that I don't think it meets Mozilla requirements.
Reporter | ||
Comment 7•7 years ago
|
||
I agree with Ben, that this audit does not have all of the required information. See sections 3.1.2.2 and 3.1.4 of Mozilla's Root Store Policy. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Comment 8•7 years ago
|
||
Kathleen: Do you need this bug to remain open to track the audit issue?
Flags: needinfo?(kwilson)
Reporter | ||
Comment 9•7 years ago
|
||
(In reply to Wayne Thayer [:wayne] from comment #8) > Kathleen: Do you need this bug to remain open to track the audit issue? Yes. Thanks.
Whiteboard: [ca-compliance] → [ca-compliance] - Need updated audit statements for the subCA
Reporter | ||
Updated•7 years ago
|
Flags: needinfo?(kwilson)
Comment 10•7 years ago
|
||
Changing QA contact per https://bugzilla.mozilla.org/show_bug.cgi?id=1438254
QA Contact: gerv → wthayer
Comment 11•6 years ago
|
||
ETSI is adopting new standards for audit reports, so the audit issue has been sufficiently addressed. Ben: can you confirm that the revocations described in comment #5 have been completed?
Flags: needinfo?(ben.wilson)
Comment 12•6 years ago
|
||
Revocation of the certificate in question occurred on August 15, 2017. That certificate also expired on November 3, 2017.
Flags: needinfo?(ben.wilson)
Comment 13•6 years ago
|
||
Can this be closed? The CA certificate was revoked and has expired.
Flags: needinfo?(wthayer)
Comment 14•6 years ago
|
||
Confirmed that the certificate in question is revoked and expired: https://crt.sh/?id=10620923&opt=cablint
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
Updated•2 years ago
|
Product: NSS → CA Program
Updated•1 year ago
|
Whiteboard: [ca-compliance] - Need updated audit statements for the subCA → [ca-compliance] [dv-misissuance]
You need to log in
before you can comment on or make changes to this bug.
Description
•