Closed Bug 1405826 Opened 8 years ago Closed 8 years ago

Trustwave: Certs issued with same issuer and serial number

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: fcorday)

References

Details

(Whiteboard: [ca-compliance] [ca-misissuance])

As reported here: https://groups.google.com/d/msg/mozilla.dev.security.policy/SM3cUnENmUw/ZeNCpR2eBgAJ This CA has issued intermediate certificates with the same issuer and serial number. This is a clear violation of the serial number uniqueness requirement of the BRs and RFC5280 4.1.2.2. Issuer: https://crt.sh/?caid=656 Issuer O: Trustwave Holdings, Inc. Issuer CN: Trustwave Organization Issuing CA, Level 2 Subject CN: Trustwave Enterprise CA Serial #: 6b:49:d2:04 Certs: https://crt.sh/?id=12624965 https://crt.sh/?id=12629351 Revoked?: Issuer cert revoked (https://crt.sh/?id=95565) Issuer: https://crt.sh/?caid=12391 Issuer O: Trustwave Holdings, Inc. Issuer CN: Trustwave Enterprise CA Subject CN: Trustwave Enterprise VPN CA Serial #: 41:90:ae:5d Certs: https://crt.sh/?id=12625419 https://crt.sh/?id=12629788 Revoked?: Issuer's issuer cert revoked (https://crt.sh/?id=95565) Please provide an incident report in this bug, as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
In discussing this bug, we do not believe this was a violation, as the BRs did not exist at the time of issuance of these certificates. Before there were any requirements, some people felt that re-use of serial numbers was appropriate when re-issuing modifications to existing certificates. Furthermore, the issuer of these certificates was revoked in 2016 and is already in OneCRL, where they are no longer relevant to the Web PKI. Standards for issuing certificates have improved greatly since 2011, and Trustwave pro-actively moved to cryptographically random serial numbers of at least 96 bits well before we were required to do so by the Baseline Requirements, thus the same thing cannot happen today.
Given that this occurred in 2010, I accept this explanation as sufficient. Gerv
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ca-misissuance]
You need to log in before you can comment on or make changes to this bug.