Closed Bug 1420861 Opened 7 years ago Closed 7 years ago

DigiCert / Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: quirin, Assigned: jeremy.rowley)

Details

(Whiteboard: [ca-compliance])

As per Gerv's request, I am filing individual bugs for [1] -- please confer to [1] for a full background. In this case, Thawte likely mis-issued on a mixed wildcard/non-wildcard SAN, as discussed in [2] and listed in [3]. What likely happened is that Thawte validated CAA for the wildcard SAN *.trnava-vuc.sk and then added the base domain trnava-vuc.sk without a further CAA check. As Thawte is not listed in the issue set, it was not permitted to add the base domain SAN. To proceed with this as a community, I guess answers to the the following questions from the affected CAs [1] would be of interest: a) Was CAA checking bypassed for this issuance? If so, why? b) If CAA lookups were conducted, what response did you receive? Why did it permit issuance? The certificate in question is this: ======== Certificate 2 - Group 1 ======= https://crt.sh/?id=211113116 X509v3 Subject Alternative Name: DNS:*.trnava-vuc.sk DNS:trnava-vuc.sk Issuer: thawte, Inc. DNS history (Certificate issued on Sep 13) 2017-09-11:trnava-vuc.sk. 86400 IN CAA 0 issuewild "symantec.com" 2017-09-11:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-12:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-12:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-13:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-13:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-14:trnava-vuc.sk. 86360 IN CAA 0 issuewild "thawte.com" 2017-09-14:trnava-vuc.sk. 86360 IN CAA 0 issue ";" 2017-09-15:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-15:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-16:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-16:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-17:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-17:trnava-vuc.sk. 86400 IN CAA 0 issue ";" [1] https://groups.google.com/d/topic/mozilla.dev.security.policy/QpSVjzrj7T4/discussion [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/O9HZPMvHMY8/HtXR8S-1AAAJ [3] https://misissued.com/batch/32/
Assignee: kwilson → jeremy.rowley
Summary: Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN → DigitCert/Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN
Whiteboard: [ca-compliance]
This was not mis-issued. The CAA record returned empty. Here's the CAA logs. 2017-09-13 05:25:09.117 [pool-3058695-thread-1] [] INFO c.s.s.r.service.CAAV2CheckService - Lookup domain: trnava-vuc.sk type: 257 result: 4 lookupTimeout: 500 2017-09-13 05:25:09.117 [pool-3058693-thread-1] [] INFO c.s.s.r.service.CAAV2CheckService - Looking for alias for: trnava-vuc.sk 2017-09-13 05:25:09.117 [pool-3058696-thread-1] [] INFO c.s.s.r.service.CAAV2CheckService - Lookup domain: trnava-vuc.sk type: 5 result: 4 lookupTimeout: 750 2017-09-13 05:25:09.117 [pool-3058692-thread-1] [] INFO c.s.s.r.service.CAAV2CheckService - CAAResponse: CAAMatchCode : [32] : CAAInput : [trnava-vuc.sk] : CAAMatchMessage : [CAA record not found] : CAADNSRecords : [ ] 2017-09-13 05:25:09.118 [pool-3058691-thread-1] [] INFO c.s.s.r.service.CAAV2CheckService - Time taken in seconds for CAA check of trnava-vuc.sk is: 1 2017-09-13 05:25:09.118 [pool-3058693-thread-1] [] INFO c.s.s.r.service.CAAV2CheckService - CAAResponse: CAAMatchCode : [32] : CAAInput : [*.trnava-vuc.sk] : CAAMatchMessage : [CAA record not found] : CAADNSRecords : [ ] 2017-09-13 05:25:09.118 [pool-3058691-thread-2] [] INFO c.s.s.r.service.CAAV2CheckService - Time taken in seconds for CAA check of *.trnava-vuc.sk is: 2
I am happy to take CA logs as /prima facie/ evidence of correct issuance in cases where the reporter of the bug does not own the domain in question and therefore cannot make normative statements about the state of its DNS at any particular time. I agree the CA's records seem not to fit well with those provided by Quirin, but this seems like a "he said, she said" situation. Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Agreed that it is a "he said/she said" situation, but that has always been one of the main limitations with CAA record checking. There's no definitive way to know what the CA is seeing. Adding transparency to CAA would transform a somewhat useless check far more valuable. Tim is working on a proposal that would have the log operators do the check rather than the CA. Shifting the CAA record check to the log operator, would give third parties a chance to see if the CAA record permits issuance, removing trust from the CA itself. If the CAA record is present, the log operator would flag the cert as potential mis-issuance and alert the CA. (The flagging aspect is the part we are still working on).
Hi, I fully agree on everything said. Given that there were issues for this specific wildcard/non-wildcard combination at other CAs, I considered this worth reporting. I thankfully accept Jeremy's reply and welcome the log excerpt. Jeremy, I would be happy to help with that proposal. Kind regards Quirin
Product: NSS → CA Program
Summary: DigitCert/Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN → DigiCert / Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN
You need to log in before you can comment on or make changes to this bug.