Closed Bug 1409764 Opened 2 years ago Closed 2 years ago

Asseco DS / Certum: CAA mis-issuance on critical flag and unknown CAA tag

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: quirin, Assigned: arkadiusz.lawniczak)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce:

I set up a test domain with the following CAA records:

CAA 128 issue "certum.pl"
CAA 128 netintum "doesnotexist"

While the first line would permit certum to issue, the second line features the critical flag (128) and an unknown tag (netintum), which denies Certum from issueing.

Certum issued this certificate, which they should not have. 

Certificate: https://crt.sh/?id=229822803
Zone: http://dnsviz.net/d/gazebear.mobi/Wd9rQw/dnssec/

I reported this to Certum on Oct 16 at 14:16 CEST and we have been in contact since then. 
Certum has confirmed this as mis-issuance, but has not confirmed a root cause yet.

This is part of a larger CAA issuance experiment with more documentation under https://github.com/quirins/caa-test.
Whiteboard: [ca-compliance]
Assignee: kwilson → arkadiusz.lawniczak
(In reply to Quirin Scheitle from comment #0)
> User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
> 
> Steps to reproduce:
> 
> I set up a test domain with the following CAA records:
> 
> CAA 128 issue "certum.pl"
> CAA 128 netintum "doesnotexist"
> 
> While the first line would permit certum to issue, the second line features
> the critical flag (128) and an unknown tag (netintum), which denies Certum
> from issueing.
> 
> Certum issued this certificate, which they should not have. 
> 
> Certificate: https://crt.sh/?id=229822803
> Zone: http://dnsviz.net/d/gazebear.mobi/Wd9rQw/dnssec/
> 
> I reported this to Certum on Oct 16 at 14:16 CEST and we have been in
> contact since then. 
> Certum has confirmed this as mis-issuance, but has not confirmed a root
> cause yet.
> 
> This is part of a larger CAA issuance experiment with more documentation
> under https://github.com/quirins/caa-test.

The order of records received from DNS Zone determines the progress of verification and in the one case also determines the result.
The case is when the record that matches the issuer occurs in the DNS response before the critical flag is found. Then, the verification process is aborted and terminated positively.
The patch is ready to be implemented on October 23, 2017.
Arkadiusz: do you have an update here?

Gerv
Flags: needinfo?(arkadiusz.lawniczak)
Yes. Problem is resolved.
Flags: needinfo?(arkadiusz.lawniczak)
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Summary: Certum: CAA mis-issuance on critical flag and unknown CAA tag → Asseco DS / Certum: CAA mis-issuance on critical flag and unknown CAA tag
You need to log in before you can comment on or make changes to this bug.