Closed Bug 1473971 Opened 2 years ago Closed Last year
Sign: Domain validated certificate but with state Or Province Name
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180516032328 Steps to reproduce: We regularly check crt.sh if any issues are occurred. Today we found out that we have issued Domain validated certificate but with stateOrProvinceName e.g. see https://crt.sh/?id=558662469&opt=x509lint Actually we found this issue by the following certificates: 7D1AFD41E18C2862853DD3F8DA5AC0BA0FA7E438 /CN=ctx.hospicegeneral.ch/OU=SSI/O=Hospice général, institution genevoise d'action sociale/L=Geneva/ST=Geneva/C=CH 79D20E25C9D33DD11AA4E342A8DA2E86FEA73AF5 /CN=tobin.hospicegeneral.ch/O=Hospice général, institution genevoise d'action sociale/L=Geneva/ST=Geneva/C=CH 131E9E7C02EB34C972C1336E6564745872CB1F94 /CN=ssmnet052.hospicegeneral.ch/O=Hospice général, institution genevoise d'action sociale/L=Geneva/ST=Geneva/C=CH 17B346F968ACF6DE165233B818264923A63C6CC9 /CN=ssmnet051.hospicegeneral.ch/O=Hospice général, institution genevoise d'action sociale/L=Geneva/ST=Geneva/C=CH 3833D0480C1C401367EFDC2FE35833203B0BD446 /CN=asacare.mobisana.ch/OU=IT/O=Schweizerische Mobiliar Holding AG/L=Bern/ST=Bern/C=CH 10678D55DD5A7947EFA790472E9DAB472052CB68 /CN=syncronisation.mobi.ch/OU=IT/O=Schweizerische Mobiliar Holding AG/L=Bern/ST=BE/C=CH 2F4457FC7B2D996610450C9D152FF462EE50E0C7 /CN=asacaredemo.mobisana.ch/OU=IT/O=Schweizerische Mobiliar Holding AG/L=Bern/ST=BE/C=CH As soon we have done the analysis we will provide the incident report in this bug, as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Assignee: wthayer → reinhard.dietrich
Summary: Domain validated certificate but with stateOrProvinceName → SwissSign: Domain validated certificate but with stateOrProvinceName
Topic 1 ======= How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. Answer to 1: ------------ As quality measurement, we regularly check crt.sh if any issues are occurred. Friday 6th July crt.sh shows that that we have issued domain validated certificate with stateOrProvinceName. e.g. see https://crt.sh/?id=558662469&opt=x509lint Topic 2 ======= A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done. Answer to 2: ------------ 2018-07-06 07:00 UTC:As described above, our regularly check with crt.sh show us this issue 2018-07-06 08:00 UTC: we stopped issuing this type of certificates 2018-07-06 10:00 UTC: we started informing the customers about the issue and asked for revocation of the affected certificates 2018-07-31 all affected certificates are revocked Topic 3 ======= Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation. Answer to 3: ------------ We have stopped issuing this type of certificates immediately after we got aware of this problem. Topic 4 ======= A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. Answer to 4: ------------ Number of certificates: 10 First issue date: 2018-05-28 Last issue date: 2018-07-03 Topic 5 ======= The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. Answer to 5 ----------- https://crt.sh/?id=491148012 https://crt.sh/?id=492641752 https://crt.sh/?id=505031773 https://crt.sh/?id=542378559 https://crt.sh/?id=555473832 https://crt.sh/?id=559716028 https://crt.sh/?id=558662469 https://crt.sh/?id=567986236 https://crt.sh/?id=569001134 https://crt.sh/?id=572877184 Topic 6 ======= Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. Answer 6: --------- In the process to include the DV OID, it was not checked, if there are any customer specific configurations, that are not in line with the requirements defined by the DV OID. Topic 7 ======= List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. Answer 7: --------- In future configuration changes that affect all new issued certificates, we will do a dedicated check, if there are historical explained exceptions configured, that are not in line with the requirements.
As documented in bug 1443731, SwissSign is implementing pre-issuance linting, and I would expect that to catch this problem (ZLint does).
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.