Closed Bug 1464286 Opened 6 years ago Closed 6 years ago

Swisscom: Missing Audits for Unconstrained Intermediate Certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wthayer, Assigned: hans-peter.waldegger)

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

Status: NEW → ASSIGNED
(In reply to H-P Waldegger from comment #1)
> Acknowledged. We are awaiting the audit report (delivery scheduled for mid
> June 2018) and Swisscom will then upload the report(s) as requested. The
> audit covers the following issuing CAs:
> 
Thank you, we will look forward to the audit report. Please ensure that it includes all of the information required by section 3.1.4 of the Mozilla root store policy.

> Swisscom Diamant CA 2:
> https://crt.sh/
> ?sha256=3b84290532c84b7026e06a427b689c69fe24154bdecb43fedbe29bf955ca6513&opt=
> mozilladisclosure
> Swisscom Diamant CA 2:
> https://crt.sh/
> ?sha256=cc27f00e1882609be6f57170c112db2a652c0bff30715c69d39b371232986093&opt=
> mozilladisclosure
> Swisscom Rubin CA 3:
> https://crt.sh/
> ?sha256=8f06f4afedd35e23f6665cf4ccf49e3705e0d8214812997a65c7195b234b4450&opt=
> mozilladisclosure
> Swisscom Saphir CA 2:
> https://crt.sh/
> ?sha256=85579df8fea9ba81871cd76833fb90ad82d2b8368f744c6775fa1ce53cc46eeb&opt=
> mozilladisclosure
> Swisscom Smaragd CA 2:
> https://crt.sh/
> ?sha256=996b92c0b76fb8b99f3b6ad19b84c7cc3461c20dd9e65dcd4ac769aa33d55e3b&opt=
> mozilladisclosure
> 
> The following CAs are not active any more. The last certificate has been
> issued 2018, January 11th at 10:56:13am. 
> 
> Swisscom Rubin CA 2:
> https://crt.sh/
> ?sha256=0210f1ca3fd987719d9e915face3154a0e43002b7090303f4194d557af300371&opt=
> mozilladisclosure
> Swisscom Rubin CA 2:
> https://crt.sh/
> ?sha256=1a6a9361601abbdd146ce347b3ae07a2aea4812cc008aa485be100406e07b2f0&opt=
> mozilladisclosure

When does the last valid certificate issued by these intermediate CA certificates expire? When will they be revoked? Just because they are no longer issuing certificates, they are not exempted from Mozilla's audit requirements.

Please provide the full incident report as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Flags: needinfo?(hans-peter.waldegger)
I uploaded the statement https://bugzilla.mozilla.org/attachment.cgi?id=8985611. Please make sure it will be added to our root CA (I cannot modify this record).
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(hans-peter.waldegger)
Resolution: --- → WORKSFORME
The audit report is deficient because:
1. there are 3 versions of the Diamant CA but the audit report only lists one.
2. there are 2 versions of the Rubin CA 2 and it only lists one.

Please ensure that future audit statements include all certificates, listing those with duplicate SPKIs separately.
Resolution: WORKSFORME → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.