Closed
Bug 1464286
Opened 7 years ago
Closed 6 years ago
Swisscom: Missing Audits for Unconstrained Intermediate Certificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wthayer, Assigned: hans-peter.waldegger)
Details
(Whiteboard: [ca-compliance] [ov-misissuance])
Swisscom has failed to supply audit information for following intermediate CA certificates in CCADB as required by section 5.3 of the current version of the Mozilla root store policy:
https://crt.sh/?sha256=3b84290532c84b7026e06a427b689c69fe24154bdecb43fedbe29bf955ca6513&opt=mozilladisclosure
https://crt.sh/?sha256=cc27f00e1882609be6f57170c112db2a652c0bff30715c69d39b371232986093&opt=mozilladisclosure
https://crt.sh/?sha256=0210f1ca3fd987719d9e915face3154a0e43002b7090303f4194d557af300371&opt=mozilladisclosure
https://crt.sh/?sha256=1a6a9361601abbdd146ce347b3ae07a2aea4812cc008aa485be100406e07b2f0&opt=mozilladisclosure
https://crt.sh/?sha256=8f06f4afedd35e23f6665cf4ccf49e3705e0d8214812997a65c7195b234b4450&opt=mozilladisclosure
https://crt.sh/?sha256=85579df8fea9ba81871cd76833fb90ad82d2b8368f744c6775fa1ce53cc46eeb&opt=mozilladisclosure
https://crt.sh/?sha256=996b92c0b76fb8b99f3b6ad19b84c7cc3461c20dd9e65dcd4ac769aa33d55e3b&opt=mozilladisclosure
Please add the audit information to CCADB, and provide an incident report, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
The incident report should be posted to the mozilla.dev.security.policy forum and added to this bug.
Assignee | ||
Comment 1•7 years ago
|
||
Acknowledged. We are awaiting the audit report (delivery scheduled for mid June 2018) and Swisscom will then upload the report(s) as requested. The audit covers the following issuing CAs:
Swisscom Diamant CA 2: https://crt.sh/?sha256=3b84290532c84b7026e06a427b689c69fe24154bdecb43fedbe29bf955ca6513&opt=mozilladisclosure
Swisscom Diamant CA 2: https://crt.sh/?sha256=cc27f00e1882609be6f57170c112db2a652c0bff30715c69d39b371232986093&opt=mozilladisclosure
Swisscom Rubin CA 3: https://crt.sh/?sha256=8f06f4afedd35e23f6665cf4ccf49e3705e0d8214812997a65c7195b234b4450&opt=mozilladisclosure
Swisscom Saphir CA 2: https://crt.sh/?sha256=85579df8fea9ba81871cd76833fb90ad82d2b8368f744c6775fa1ce53cc46eeb&opt=mozilladisclosure
Swisscom Smaragd CA 2: https://crt.sh/?sha256=996b92c0b76fb8b99f3b6ad19b84c7cc3461c20dd9e65dcd4ac769aa33d55e3b&opt=mozilladisclosure
The following CAs are not active any more. The last certificate has been issued 2018, January 11th at 10:56:13am.
Swisscom Rubin CA 2: https://crt.sh/?sha256=0210f1ca3fd987719d9e915face3154a0e43002b7090303f4194d557af300371&opt=mozilladisclosure
Swisscom Rubin CA 2: https://crt.sh/?sha256=1a6a9361601abbdd146ce347b3ae07a2aea4812cc008aa485be100406e07b2f0&opt=mozilladisclosure
Assignee | ||
Updated•7 years ago
|
Status: NEW → ASSIGNED
Reporter | ||
Comment 2•7 years ago
|
||
(In reply to H-P Waldegger from comment #1)
> Acknowledged. We are awaiting the audit report (delivery scheduled for mid
> June 2018) and Swisscom will then upload the report(s) as requested. The
> audit covers the following issuing CAs:
>
Thank you, we will look forward to the audit report. Please ensure that it includes all of the information required by section 3.1.4 of the Mozilla root store policy.
> Swisscom Diamant CA 2:
> https://crt.sh/
> ?sha256=3b84290532c84b7026e06a427b689c69fe24154bdecb43fedbe29bf955ca6513&opt=
> mozilladisclosure
> Swisscom Diamant CA 2:
> https://crt.sh/
> ?sha256=cc27f00e1882609be6f57170c112db2a652c0bff30715c69d39b371232986093&opt=
> mozilladisclosure
> Swisscom Rubin CA 3:
> https://crt.sh/
> ?sha256=8f06f4afedd35e23f6665cf4ccf49e3705e0d8214812997a65c7195b234b4450&opt=
> mozilladisclosure
> Swisscom Saphir CA 2:
> https://crt.sh/
> ?sha256=85579df8fea9ba81871cd76833fb90ad82d2b8368f744c6775fa1ce53cc46eeb&opt=
> mozilladisclosure
> Swisscom Smaragd CA 2:
> https://crt.sh/
> ?sha256=996b92c0b76fb8b99f3b6ad19b84c7cc3461c20dd9e65dcd4ac769aa33d55e3b&opt=
> mozilladisclosure
>
> The following CAs are not active any more. The last certificate has been
> issued 2018, January 11th at 10:56:13am.
>
> Swisscom Rubin CA 2:
> https://crt.sh/
> ?sha256=0210f1ca3fd987719d9e915face3154a0e43002b7090303f4194d557af300371&opt=
> mozilladisclosure
> Swisscom Rubin CA 2:
> https://crt.sh/
> ?sha256=1a6a9361601abbdd146ce347b3ae07a2aea4812cc008aa485be100406e07b2f0&opt=
> mozilladisclosure
When does the last valid certificate issued by these intermediate CA certificates expire? When will they be revoked? Just because they are no longer issuing certificates, they are not exempted from Mozilla's audit requirements.
Please provide the full incident report as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Flags: needinfo?(hans-peter.waldegger)
Assignee | ||
Comment 3•6 years ago
|
||
I uploaded the statement https://bugzilla.mozilla.org/attachment.cgi?id=8985611. Please make sure it will be added to our root CA (I cannot modify this record).
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(hans-peter.waldegger)
Resolution: --- → WORKSFORME
Reporter | ||
Comment 4•6 years ago
|
||
The audit report is deficient because:
1. there are 3 versions of the Diamant CA but the audit report only lists one.
2. there are 2 versions of the Rubin CA 2 and it only lists one.
Please ensure that future audit statements include all certificates, listing those with duplicate SPKIs separately.
Resolution: WORKSFORME → FIXED
Updated•2 years ago
|
Product: NSS → CA Program
Updated•2 years ago
|
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in
before you can comment on or make changes to this bug.
Description
•