Closed Bug 1397961 Opened 2 years ago Closed 2 years ago

DigiCert / Justica: Invalid DNS names

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: jeremy.rowley)

References

Details

(Whiteboard: [ca-compliance] - Need updated audit statements for the subCA)

Attachments

(1 file)

This bug has been separated out from Bug #1389172 to request an incident report specific to this subCA.

Justica
  a) Invalid DNS names
    - See Bug #1389172: Comments 3, 5, 6, 9
    - Remediation
      - 2017-08-24 - CA patched (See Comment #9)


For the problem listed above, please provide an incident report as described here:

https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Flags: needinfo?(jeremy.rowley)
1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, via a discussion in mozilla.dev.security.policy, or via a Bugzilla bug), and the date.
Sat 8/12/2017 8:58 PM via email to m.d.s.p. list from Jonathan Rudenberg
    
2. A timeline of the actions your CA took in response.
Email to Sara Loja from Jeremy Rowley on Aug. 14, 2017 requesting that the Portuguese government revoke the certificate issued to servicos.justica.local.  Certificate revoked on 8/15/2017.  
    
3. Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem.
Portuguese Government has indicated that it is not issuing certificates with .local.
   
4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
This was a single certificate, issued on Nov. 3, 2014.  See https://crt.sh/?id=10620923 
  
5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
See answer #4 above.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
At time of issuance, internal names were not prohibited.  Portuguese Government unaware of BR 7.1.4.2.1 requiring revocation on or before 10/1/2016
   
7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Communicating with CA representatives 

We are inviting CA operator to post its own Incident Report.
Ben: I'm sure it's obvious to you, but comment 1 is wholly inadequate as a root cause analysis. I hope the CA operator will provide better answers.

Gerv
Flags: needinfo?(jeremy.rowley) → needinfo?(ben.wilson)
I'm reaching out to them.  Meanwhile, as I said above, WRT root cause analysis, it's likely that .local wasn't prohibited when the certificate was issued but no one alerted them of this certificate until recently, and then the fact that they hadn't revoked on or before 10/1/2016 came into play under BR 7.1.4.2.1.
Flags: needinfo?(ben.wilson)
Justiça responded that they misinterpreted section 4.2.2. of the Baseline Requirements to mean that if the TLD was not registered or under consideration by ICANN that it could be used. They had been using a .local domain as reserved for internal networks (RFC 6762) because they thought it was ok. 
 
Nevertheless, following this incident, they installed a new CA for internal proposes, and they are in the process of replacing all internal certificates. They also noted that there are several sensitive applications that are used by several police forces that are taking some more time because of the number of involved persons/organizations and local calendar reasons, but that they are expecting to have all such certificates revoked by the 13th of October.
Here is the audit for Justiça, to whom I've responded that I don't think it meets Mozilla requirements.
I agree with Ben, that this audit does not have all of the required information.

See sections 3.1.2.2 and 3.1.4 of Mozilla's Root Store Policy.

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Kathleen: Do you need this bug to remain open to track the audit issue?
Flags: needinfo?(kwilson)
(In reply to Wayne Thayer [:wayne] from comment #8)
> Kathleen: Do you need this bug to remain open to track the audit issue?

Yes. Thanks.
Whiteboard: [ca-compliance] → [ca-compliance] - Need updated audit statements for the subCA
Flags: needinfo?(kwilson)
Changing QA contact per https://bugzilla.mozilla.org/show_bug.cgi?id=1438254
QA Contact: gerv → wthayer
ETSI is adopting new standards for audit reports, so the audit issue has been sufficiently addressed.

Ben: can you confirm that the revocations described in comment #5 have been completed?
Flags: needinfo?(ben.wilson)
Revocation of the certificate in question occurred on August 15, 2017. That certificate also expired on November 3, 2017.
Flags: needinfo?(ben.wilson)
Can this be closed?  The CA certificate was revoked and has expired.
Flags: needinfo?(wthayer)
Confirmed that the certificate in question is revoked and expired: https://crt.sh/?id=10620923&opt=cablint
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.