Closed
Bug 1497703
Opened 6 years ago
Closed 6 years ago
SECOM: Undisclosed intermediate certificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wthayer, Assigned: h-kamo)
Details
(Whiteboard: [ca-compliance] [disclosure-failure])
SECOM failed to disclose the following intermediate certificates within one week of issuance as required by Mozilla policy section 5.3.2: https://crt.sh/?sha256=38b26cf45c932ea28019d93e440ac72bae83f9cbf52d6ad913698b18fcc8717d&opt=mozilladisclosure https://crt.sh/?sha256=2b30d5e912906358c9ad6fb57fd7b368a01a78e395b4ec11645c5b98a0967de8&opt=mozilladisclosure Please provide an incident report in this bug, as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report Please also post the report to the mozilla.dev.security.policy forum.
Assignee | ||
Comment 1•6 years ago
|
||
Dear Wayne-san, Thank you for the notice. Because of our misrecognition we failed to disclose. Now, we disclosed for those certificates. Best regards, Hisashi Kamo
Reporter | ||
Comment 2•6 years ago
|
||
Dear Kamo-san: Thank you for your disclosure. Please provide an incident report explaining why this happened and how SECOM will prevent it from happening again.
Flags: needinfo?(h-kamo)
Assignee | ||
Comment 3•6 years ago
|
||
Dear Wayne-san, 1.How your CA first became aware of the problem We first became aware by the email of this bugzilla at 7:45 on October 10, 2018. 2. A timeline of the actions your CA took in response. <7:45 on October 10, 2018> We got the email of this bugzilla. <10:17 on October 10, 2018> We disclosed on CCADB. 3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. Non applicable. We carefully checked about this and immediately disclosed on CCADB. 4. A summary of the problematic certificates. Non applicable. 5. The complete certificate data for the problematic certificates. Non applicable. 6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. Because of our misrecognition we failed to disclose. When registering CCADB for the certificate with code signing in August, we got a message saying registration was unnecessary, and then we mixed up for the registration for these certificates on this case were also unnecessary. 7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future We described the CCADB disclosing procedure for the manual of the key ceremony. In addition, we provided education to operational staff so that there is no misrecognition like this. Thank you for your consideration. Best regards, Hisashi Kamo
Flags: needinfo?(h-kamo)
Reporter | ||
Comment 4•6 years ago
|
||
Dear Kamo-san, Thank you for this incident report. I do not understand what you mean by "misrecognition". Will you please explain what caused this in more detail? I understand that you have now added CCADB disclosure to your standard key ceremony procedure documentation - is that correct? Also, please be aware that you can double-check intermediate disclosures using crt.sh: https://crt.sh/mozilla-disclosures#undisclosed
Flags: needinfo?(h-kamo)
Assignee | ||
Comment 5•6 years ago
|
||
Dear Wayne-san, > I do not understand what you mean by "misrecognition". Will you please explain what caused this in more detail? When we tried to disclose another certificate with EKU before, we got the message that "This certificate is considered to be technically-constrained as per Mozilla policy, so it does not need to be added to the CA Community in Salesforce." We misunderstood the message that disclosure was not necessary for those certificates you pointed out although this message content did not apply. > I understand that you have now added CCADB disclosure to your standard key ceremony procedure documentation - is that correct? Yes, it is correct. Best regards, Hisashi Kamo
Flags: needinfo?(h-kamo)
Reporter | ||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•1 year ago
|
Product: NSS → CA Program
Updated•1 year ago
|
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure]
You need to log in
before you can comment on or make changes to this bug.
Description
•