Closed Bug 1397965 Opened 2 years ago Closed 2 years ago

DigiCert / Swiss Government: CommonName not in SANs

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: jeremy.rowley)

References

Details

(Whiteboard: [ca-compliance])

This bug has been separated out from Bug #1389172 to request an incident report specific to this subCA.

Swiss Government
  a) CommonName not in SANs
    - See Bug #1389172: Comments 2, 4, 6, 9
    - Remediation
      - 2017-08-24 - CA patched


For the problem listed above, please provide an incident report as described here:

https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, via a discussion in mozilla.dev.security.policy, or via a Bugzilla bug), and the date.
Saturday, Aug. 5, 2017 by revocation email from Alex Gaynor 

2. A timeline of the actions your CA took in response.
Sunday, Aug. 6. 2017, sent email to Michael von Niederhaeusern requesting revocation of the two certificates. Two certificates revoked on 8/7/2017 at 8:41 CEST.

3. Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem.
Verbal commitment received from Swiss Government plus cross certificate expires tomorrow on 9/10/2017.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
2 certificates, https://crt.sh/?id=108003741 and https://crt.sh/?id=108003737

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
See response to #4 above.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Unsure.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Cross certificate expires tomorrow UTC TIME : '170910185011Z'
The cross-cert is expired, which I think remediates the issue.
Timeline:
Aug 5, 2017 - received problem report from Alex Graynor
Aug 6, 2017 - sent email to Swiss Government requesting revocation of the two certificates
Aug 7, 2017 - both certificates revoked
Aug 7, 2017 - received verbal commitment to stop using cross cert
Sep 10, 2017 - cross-cert expired
I'm going to close this as Resolved/Fixed, representing the Swiss Government's steps to remediation.

We can separately follow-up for the remediation steps overall that DigiCert is taking towards the management and oversight of their subordinate CAs.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.