DigitCert/Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN

RESOLVED INVALID

Status

task
RESOLVED INVALID
a year ago
a year ago

People

(Reporter: quirin, Assigned: jeremy.rowley)

Tracking

trunk

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-compliance])

(Reporter)

Description

a year ago
As per Gerv's request, I am filing individual bugs for [1] -- please confer to [1] for a full background.

In this case, Thawte likely mis-issued on a mixed wildcard/non-wildcard SAN, as discussed in [2] and listed in [3]. 

What likely happened is that Thawte validated CAA for the wildcard SAN *.trnava-vuc.sk and then added the base domain trnava-vuc.sk without a further CAA check. As Thawte is not listed in the issue set, it was not permitted to add the base domain SAN. 

To proceed with this as a community, I guess answers to the the following questions from the affected CAs [1] would be of interest:
        a) Was CAA checking bypassed for this issuance? If so, why?
        b) If CAA lookups were conducted, what response did you receive? Why did it permit issuance? 

The certificate in question is this:
======== Certificate 2 - Group 1  =======
https://crt.sh/?id=211113116
        X509v3 Subject Alternative Name:
                DNS:*.trnava-vuc.sk
                DNS:trnava-vuc.sk
        Issuer: thawte, Inc.
DNS history (Certificate issued on Sep 13)
2017-09-11:trnava-vuc.sk.      86400   IN      CAA     0 issuewild "symantec.com"
2017-09-11:trnava-vuc.sk.      86400   IN      CAA     0 issue ";"
2017-09-12:trnava-vuc.sk.      86400   IN      CAA     0 issuewild "thawte.com"
2017-09-12:trnava-vuc.sk.      86400   IN      CAA     0 issue ";"
2017-09-13:trnava-vuc.sk.      86400   IN      CAA     0 issuewild "thawte.com"
2017-09-13:trnava-vuc.sk.      86400   IN      CAA     0 issue ";"
2017-09-14:trnava-vuc.sk.      86360   IN      CAA     0 issuewild "thawte.com"
2017-09-14:trnava-vuc.sk.      86360   IN      CAA     0 issue ";"
2017-09-15:trnava-vuc.sk.      86400   IN      CAA     0 issuewild "thawte.com"
2017-09-15:trnava-vuc.sk.      86400   IN      CAA     0 issue ";"
2017-09-16:trnava-vuc.sk.      86400   IN      CAA     0 issuewild "thawte.com"
2017-09-16:trnava-vuc.sk.      86400   IN      CAA     0 issue ";"
2017-09-17:trnava-vuc.sk.      86400   IN      CAA     0 issuewild "thawte.com"
2017-09-17:trnava-vuc.sk.      86400   IN      CAA     0 issue ";" 


[1] https://groups.google.com/d/topic/mozilla.dev.security.policy/QpSVjzrj7T4/discussion
[2] https://groups.google.com/d/msg/mozilla.dev.security.policy/O9HZPMvHMY8/HtXR8S-1AAAJ
[3] https://misissued.com/batch/32/
Assignee: kwilson → jeremy.rowley
Summary: Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN → DigitCert/Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN

Updated

a year ago
Whiteboard: [ca-compliance]
(Assignee)

Comment 1

a year ago
This was not mis-issued. The CAA record returned empty.  Here's the CAA logs. 

2017-09-13 05:25:09.117 [pool-3058695-thread-1] [] INFO  c.s.s.r.service.CAAV2CheckService - Lookup domain: trnava-vuc.sk type: 257 result: 4 lookupTimeout: 500
2017-09-13 05:25:09.117 [pool-3058693-thread-1] [] INFO  c.s.s.r.service.CAAV2CheckService - Looking for alias for: trnava-vuc.sk
2017-09-13 05:25:09.117 [pool-3058696-thread-1] [] INFO  c.s.s.r.service.CAAV2CheckService - Lookup domain: trnava-vuc.sk type: 5 result: 4 lookupTimeout: 750
2017-09-13 05:25:09.117 [pool-3058692-thread-1] [] INFO  c.s.s.r.service.CAAV2CheckService - CAAResponse: CAAMatchCode : [32] : CAAInput : [trnava-vuc.sk] : CAAMatchMessage : [CAA record not found] : CAADNSRecords : [ ]
2017-09-13 05:25:09.118 [pool-3058691-thread-1] [] INFO  c.s.s.r.service.CAAV2CheckService - Time taken in seconds for CAA check of trnava-vuc.sk is: 1
2017-09-13 05:25:09.118 [pool-3058693-thread-1] [] INFO  c.s.s.r.service.CAAV2CheckService - CAAResponse: CAAMatchCode : [32] : CAAInput : [*.trnava-vuc.sk] : CAAMatchMessage : [CAA record not found] : CAADNSRecords : [ ]
2017-09-13 05:25:09.118 [pool-3058691-thread-2] [] INFO  c.s.s.r.service.CAAV2CheckService - Time taken in seconds for CAA check of *.trnava-vuc.sk is: 2
I am happy to take CA logs as /prima facie/ evidence of correct issuance in cases where the reporter of the bug does not own the domain in question and therefore cannot make normative statements about the state of its DNS at any particular time. I agree the CA's records seem not to fit well with those provided by Quirin, but this seems like a "he said, she said" situation.

Gerv
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → INVALID
(Assignee)

Comment 3

a year ago
Agreed that it is a "he said/she said" situation, but that has always been one of the main limitations with CAA record checking. There's no definitive way to know what the CA is seeing. Adding transparency to CAA would transform a somewhat useless check far more valuable. Tim is working on a proposal that would have the log operators do the check rather than the CA. Shifting the CAA record check to the log operator, would give third parties a chance to see if the CAA record permits issuance, removing trust from the CA itself. If the CAA record is present, the log operator would flag the cert as potential mis-issuance and alert the CA. (The flagging aspect is the part we are still working on).
(Reporter)

Comment 4

a year ago
Hi,

I fully agree on everything said. Given that there were issues for this specific wildcard/non-wildcard combination at other CAs, I considered this worth reporting. I thankfully accept Jeremy's reply and welcome the log excerpt. 

Jeremy, I would be happy to help with that proposal.

Kind regards
Quirin
You need to log in before you can comment on or make changes to this bug.