1500593 - IdenTrust: Internal names / failure to report

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Wayne Thayer]

Nicholas Hatch reported the following misissuance during the discussion of the inclusion request in bug #1339292:

On February 21 2018, I reported an unexpired certificate to Identrust which contained SAN entries for several invalid .INT domains:

https://crt.sh/?id=7852280

They acknowledged and revoked the certificate in a timely manner. However, I find this event particularly bothersome:

- This certificate was created for Identrust's own internal use.
- The issue of .int being a valid TLD has been communicated and well-known since 2009 [1] 
- I don't believe Identrust has disclosed this misissuance as required.

Identrust responded with the following incident report:

1.How your CA first became aware of the problems listed below (e.g. via a Problem Report, via the discussion in mozilla.dev.security.policy, or via this Bugzilla Bug), and the date.
IdenTrust: We were made aware of this issue on 02/22/2018 from Nicholas Hatch via an email message to IdenTrust customer support.

2.Prompt confirmation that your CA has stopped issuing TLS/SSL certificates with the problems listed below.
IdenTrust: The certificate in question was revoked on the same date, 02/22/2018

3. Complete list of certificates that your CA finds with each of the listed issues during the remediation process. The recommended way to handle this is to ensure each certificate is logged to CT and then attach a CSV file/spreadsheet of the fingerprints or crt.sh IDs, with one list per distinct problem.
IdenTrust: Only one certificate was found to have SAN containing ‘.int’ domain.   This certificate was issued on 5/21/2015 with cert.sh ID: https://crt.sh/?id=7852280. As noted in #2, this certificate was revoked on 2/22/2018.

4. Summary of the problematic certificates. For each problem listed below:
number of certs, date first and last certs with that problem were issued.
IdenTrust:  Problematic certificates consists of only one certificate issued on 5/21/2015 and installed on IdenTrust server.  As noted in #2, this certificate was revoked on 2/22/2018.

5.Explanation about how and why the mistakes were made, and not caught and fixed earlier.
IdenTrust: The certificate was generated for a server within IdenTrust. The certificate contained internal domain names which were not reachable externally. Two domain names in the SAN (Autodiscover.identrus.int and Mercury.identrus.int) were included at that time. When the certificate was generated, these domains were internally hosted domains.

When the problem was identified, IdenTrust revoked the certificate and issued a new certificate without the Autodiscover.identrus.int and Mercury.identrus.int.

6. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
IdenTrust: Post 02/22/2018, IdenTrust implemented a change in the certificate approval processes that will prevent the domain names with the .int TLD from being approved.

Discussion has continued in the thread: https://groups.google.com/d/msg/mozilla.dev.security.policy/fTeHAGGTBqg/ikgMfJeiAgAJ

Comment 1

[Wayne Thayer]

The discussion resulted in the denial of the EV request in bug 1339292.