Closed Bug 1455119 Opened 7 years ago Closed 6 years ago

Firmaprofesional: Undisclosed Intermediate certificate

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wthayer, Assigned: chemalogo)

References

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Attachments

(1 file)

CCADB warning for technically constrained CAs
103.24 KB, image/png
Details 
Firmaprofesional has failed to disclose the following intermediate CA certificate as required by section 5.3 of the Mozilla root store policy:

https://crt.sh/?sha256=1cb470728cf56f302003bb0e4eb062414fa11d4f97e3f061170c96c88071d711&opt=mozilladisclosure

Please disclose the certificate, and provide an incident report, as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
The incident report should be posted to the mozilla.dev.security forum and added to this bug.

  

  



    
    

    
  
(In reply to Wayne Thayer [:wayne] from comment #0)
> Firmaprofesional has failed to disclose the following intermediate CA
> certificate as required by section 5.3 of the Mozilla root store policy:
> 
> https://crt.sh/
> ?sha256=1cb470728cf56f302003bb0e4eb062414fa11d4f97e3f061170c96c88071d711&opt=
> mozilladisclosure
> 
> Please disclose the certificate, and provide an incident report, as
> described here:
> https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
> The incident report should be posted to the mozilla.dev.security forum and
> added to this bug.

If I'm not wrong Firmaprofesional has not failed. We asked and we've been told that if the CA is technically constrained it is not necessary to disclose them. In fact, I've tried minutes ago to add it to the CCADB and this is the message that I got:

"This certificate is considered to be technically-constrained as per Mozilla policy, so it does not need to be added to the CA Community in Salesforce. All data that you enter into Salesforce will be publicly available, so please make sure you do not enter sensitive information that should not be published."

I'm also attaching a screenshot: https://bugzilla.mozilla.org/attachment.cgi?id=8969283

Anyway, if we are wrong, let us know please.

Thanks,(In reply to chemalogo from comment #1)
> Created attachment 8969283 [details]
> CCADB warning for technically constrained CAs

  

  



    
    

    
  
Thank you for your response. Can you confirm that the certificate you attempted to add to CCADB has the serial number 2445720188065766261 (0x21f0f18d95a95b75) ? If so, this certificate does not meet the definition of 'technically constrained' from section 5.3.1 of the Mozilla root store policy:

If the certificate includes the id-kp-emailProtection extended key usage, it MUST include the Name Constraints X.509v3 extension with constraints on rfc822Name, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the Baseline Requirements.

I will research the error that you received from CCADB and get that fixed. Meanwhile, it appears that you can bypass the warning and add the certificate.

  

  


Flags: needinfo?(chemalogo)

    
    

    
  
(In reply to Wayne Thayer [:wayne] from comment #3)
> Thank you for your response. Can you confirm that the certificate you
> attempted to add to CCADB has the serial number 2445720188065766261
> (0x21f0f18d95a95b75) ? If so, this certificate does not meet the definition
> of 'technically constrained' from section 5.3.1 of the Mozilla root store
> policy:
> 
> If the certificate includes the id-kp-emailProtection extended key usage, it
> MUST include the Name Constraints X.509v3 extension with constraints on
> rfc822Name, with at least one name in permittedSubtrees, each such name
> having its ownership validated according to section 3.2.2.4 of the Baseline
> Requirements.
> 
> I will research the error that you received from CCADB and get that fixed.
> Meanwhile, it appears that you can bypass the warning and add the
> certificate.

Already done.

  

  


Flags: needinfo?(chemalogo)

    
    

    
  
This certificate is also in violation of Mozilla policy because no audit information has been provided in the CCADB record: https://crt.sh/?sha256=d039eeff71088cc0f16a05a8ff3c61610e141d1e850ac7e11f7713eee88cb951&opt=mozilladisclosure

Please respond to both of these issues with an incident report as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report

  

  


Flags: needinfo?(chemalogo)

    
    

    
  
Incident report created for:
https://crt.sh/?sha256=1cb470728cf56f302003bb0e4eb062414fa11d4f97e3f061170c96c88071d711&opt=mozilladisclosure

See: https://bugzilla.mozilla.org/show_bug.cgi?id=1464335

  

  


Flags: needinfo?(chemalogo)

    
  
Depends on: 1464359

    
    

    
  
Incident reports were filed and resolved in separate bugs for both of the CA certificates identified here.

  

  


Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: