Closed Bug 1446121 Opened 2 years ago Closed Last year

IdenTrust: Improper encoding of wildcard certificate

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wayne, Assigned: roots)

Details

(Whiteboard: [ca-compliance])

Attachments

(1 file)

The following certificate was disclosed on the mozilla.dev.security.policy forum:

https://crt.sh/?id=8373036&opt=cablint,x509lint

Please provide an incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Assignee: wthayer → roots
Whiteboard: [ca-compliance]
we acknowledge receipt of this bug and will supply a formal incident report within the next 24 hours
Another certificate with this problem has been reported: https://crt.sh/?id=181538497&opt=cablint,x509lint
IdenTrust formal Report:
1.How your CA first became aware of the problems listed below (e.g. via a Problem Report, via the discussion in mozilla.dev.security.policy, or via this Bugzilla Bug), and the date.
IdenTrust: This configuration problem was identified on 08/14/2017 when we ran an audit of all active IdenTrust SSL certificates using the Cablint utility.

2. Prompt confirmation that your CA has stopped issuing TLS/SSL certificates with the problems listed below.
IdenTrust: The configuration problem was corrected on 08/14/2017

3. Complete list of certificates that your CA finds with each of the listed issues during the remediation process. The recommended way to handle this is to ensure each certificate is logged to CT and then attach a CSV file/spreadsheet of the fingerprints or crt.sh IDs, with one list per distinct problem.
IdenTrust: On 8/14/2017 there were 12 certificates and as of 3/13/2018 there were a total of 6 non-expired and non-revoked certificates impacted by this issue.  Based on our analysis at the time we determined that active certificates with this issue did not present an immediate interoperability risk nor immediate security risk.

Attached is the list of 6 remaining active certificates with this issue.

4.Summary of the problematic certificates. For each problem listed below:
number of certs, date first and last certs with that problem were issued.
IdenTrust: The last time certificates were issued with this non UTF code was prior to 8/14/2017.

5. Explanation about how and why the mistakes were made, and not caught and fixed earlier. 
IdenTrust:  The IdenTrust CA platform supports a variety of PKIs.  Some of these hosted PKIs are not covered by CAB requirements and can only support DN encodings containing the printable string ASN.1 type, even when characters outside of the character set are present in the represented value.  Prior to 2017-08-14, there was a misconfiguration where wildcard CAB-compliant SSL certs were configured to be encoded with this legacy functionality.  

The encoding issue was not caught and fixed prior to 8/14/2017 because due to low volumes of the affected certificate types our quarterly SSL audit random sample did not include the SSL certificates with this issue.

6.List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
IdenTrust: The CA configuration was corrected and implemented as of 8/14/2017; as such, no new certificates have been issued with this issue.
- Our quarterly SSL audit utilizes automated industry tools such Cablint and check all certificates issued since the last SSL audit. 
- Based on our analysis we determined that active certificates with this issue do not present an   immediate interoperability risk nor immediate security risk.
- However, we have notified customers and advised that active certificates with this issue will be revoked no later than March 26, 2018.
List of certificates with encoding issue
We confirm that all 6 certificates have been revoked effective 03-23-2018
(In reply to roots from comment #3)

> The encoding issue was not caught and fixed prior to 8/14/2017 because due
> to low volumes of the affected certificate types our quarterly SSL audit
> random sample did not include the SSL certificates with this issue.
> 
> 6.List of steps your CA is taking to resolve the situation and ensure such
> issuance will not be repeated in the future, accompanied with a timeline of
> when your CA expects to accomplish these things.
> IdenTrust: The CA configuration was corrected and implemented as of
> 8/14/2017; as such, no new certificates have been issued with this issue.
> - Our quarterly SSL audit utilizes automated industry tools such Cablint and
> check all certificates issued since the last SSL audit. 

Does this mean that you have no plans to implement pre-issuance linting so that future issues like this will be detected prior to issuance?

> - However, we have notified customers and advised that active certificates
> with this issue will be revoked no later than March 26, 2018.

Given the delayed revocation, I will expect your next BR audit to include a qualification on BR section 4.9.1.1.
Flags: needinfo?(roots)
(In reply to Wayne Thayer [:wayne] from comment #6)
> (In reply to roots from comment #3)
> 
> > The encoding issue was not caught and fixed prior to 8/14/2017 because due
> > to low volumes of the affected certificate types our quarterly SSL audit
> > random sample did not include the SSL certificates with this issue.
> > 
> > 6.List of steps your CA is taking to resolve the situation and ensure such
> > issuance will not be repeated in the future, accompanied with a timeline of
> > when your CA expects to accomplish these things.
> > IdenTrust: The CA configuration was corrected and implemented as of
> > 8/14/2017; as such, no new certificates have been issued with this issue.
> > - Our quarterly SSL audit utilizes automated industry tools such Cablint and
> > check all certificates issued since the last SSL audit. 
> 
> Does this mean that you have no plans to implement pre-issuance linting so
> that future issues like this will be detected prior to issuance?

IdenTrust:
Inclusion of certificate linting as part of the quarterly SSL audit is just the first step.  IdenTrust is evaluating implementation of pre-issuance linting.  We will provide an update of our evaluation no later than April 10, 2018

> > - However, we have notified customers and advised that active certificates
> > with this issue will be revoked no later than March 26, 2018.
> 
> Given the delayed revocation, I will expect your next BR audit to include a
> qualification on BR section 4.9.1.1.

IdenTrust:
We will discuss with our auditors during the scope of this year’s audit cycle
Flags: needinfo?(roots) → needinfo?(wthayer)
Flags: needinfo?(wthayer)
(In reply to roots from comment #7)
> (In reply to Wayne Thayer [:wayne] from comment #6)
> > (In reply to roots from comment #3)
> > 
> > > The encoding issue was not caught and fixed prior to 8/14/2017 because due
> > > to low volumes of the affected certificate types our quarterly SSL audit
> > > random sample did not include the SSL certificates with this issue.
> > > 
> > > 6.List of steps your CA is taking to resolve the situation and ensure such
> > > issuance will not be repeated in the future, accompanied with a timeline of
> > > when your CA expects to accomplish these things.
> > > IdenTrust: The CA configuration was corrected and implemented as of
> > > 8/14/2017; as such, no new certificates have been issued with this issue.
> > > - Our quarterly SSL audit utilizes automated industry tools such Cablint and
> > > check all certificates issued since the last SSL audit. 
> > 
> > Does this mean that you have no plans to implement pre-issuance linting so
> > that future issues like this will be detected prior to issuance?
> 
> IdenTrust:
> Inclusion of certificate linting as part of the quarterly SSL audit is just
> the first step.  IdenTrust is evaluating implementation of pre-issuance
> linting.  We will provide an update of our evaluation no later than April
> 10, 2018
Identrust promised update to above comment:
IdenTrust will incorporate certificate linting into our issuance process before end of Q3 2018.  We intend to perform the linting check on the TBSCertificate of the pre-certificate and may also run check on the TBSCertificate of the final certificate.  Our current thought is that an extra check for the final certificate issuance won't cause any performance issues, and just might prevent an issue some day.

> > > - However, we have notified customers and advised that active certificates
> > > with this issue will be revoked no later than March 26, 2018.
> > 
> > Given the delayed revocation, I will expect your next BR audit to include a
> > qualification on BR section 4.9.1.1.
> 
> IdenTrust:
> We will discuss with our auditors during the scope of this year’s audit cycle
(In reply to roots from comment #8)
> IdenTrust will incorporate certificate linting into our issuance process
> before end of Q3 2018.  We intend to perform the linting check on the
> TBSCertificate of the pre-certificate and may also run check on the
> TBSCertificate of the final certificate.  Our current thought is that an
> extra check for the final certificate issuance won't cause any performance
> issues, and just might prevent an issue some day.

Please update this bug once all certificates are being linted prior to issuance.
Whiteboard: [ca-compliance] → [ca-compliance] - Next Update - 01-October 2018
(In reply to Wayne Thayer [:wayne] from comment #9)
> (In reply to roots from comment #8)
> > IdenTrust will incorporate certificate linting into our issuance process
> > before end of Q3 2018.  We intend to perform the linting check on the
> > TBSCertificate of the pre-certificate and may also run check on the
> > TBSCertificate of the final certificate.  Our current thought is that an
> > extra check for the final certificate issuance won't cause any performance
> > issues, and just might prevent an issue some day.
> 
> Please update this bug once all certificates are being linted prior to
> issuance.

Effective August 11, 2018, IdenTrust has successfully implemented pre-issuance certificate linting for all SSL/TLS certificates issued from the IdenTrust Commercial Root CA 1.
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Whiteboard: [ca-compliance] - Next Update - 01-October 2018 → [ca-compliance]
You need to log in before you can comment on or make changes to this bug.