Closed Bug 1443857 Opened 2 years ago Closed 2 years ago

Camerfirma: Non-BR-Compliant Issuance - DNSName is empty

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: martin_ja, Assigned: martin_ja)

Details

(Whiteboard: [ca-compliance])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180206200532

Steps to reproduce:

There're been detected four mississued certificates that were issued on 2017-08-23:

1.- https://crt.sh/?id=270067527
2.- https://crt.sh/?id=252200572
3.- https://crt.sh/?id=214332046
4.- https://crt.sh/?id=298751234

Through mozilla.dev.security.policy we've received information about these four non-revoked certificates and we've proceeded to revoke them on 2018-03-05 between 8:00 and 10:00 AM (UTC).

The manual procedure that we had until 2018-02-14 made queries to https://crt.sh/?caid=50473&opt=cablint,x509lint&minnotbefore=YYYY-MM-DD changing the parameter minnotbefore each day asking about the date three days before.

In another internal task we've an internal report made in 2017-08-25 in which they made a request to https://crt.sh/?caid=50473&opt=cablint,x509lint&minnotbefore=2017-07-01. These certificates should have appeared at that time, but they doesn't.

On 2018-02-14 we deployed a cablint and x509lint technical control. Since then, we analyze the pre-certificates, we always issue pre-certificates for a website cert request. In case of a FATAL or ERROR message we don't issue the certificate.

Best Regards
Juan Angel
Assignee: nobody → martin_ja
Component: Untriaged → CA Certificate Mis-Issuance
Product: Firefox → NSS
QA Contact: kwilson
Whiteboard: [ca-compliance]
Version: unspecified → other
Juan Angel: have you rescanned your entire database of certificates for this error? What was found?
AC Camerfirma misissued certificates automated analysis tab separeted results
Hello,

link to the results analysis: 
https://groups.google.com/d/msg/mozilla.dev.security.policy/Bdphix4tNrA/wxDBDRryBgAJ

Best Regards
Juan Angel
Juan Angel: Please update this bug when all the identified certificates have been revoked.
Hello,

I've just been informed that all certificates identified as erroneous in this analysis have been revoked.

Best Regards
Juan Angel
Remediation complete, resolving this bug.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.