Closed Bug 1515788 Opened 9 months ago Closed 7 months ago

DigiCert: Underscores - CVS Pharmacy

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jeremy.rowley, Assigned: brenda.bernal)

References

Details

(Whiteboard: [ca-compliance] Next Update - 8-February 2019)

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0

Steps to reproduce:

This is the first of the companies where I have information referenced by https://bugzilla.mozilla.org/show_bug.cgi?id=1515564 . We didn't receive permission to identify them by name, but we can say they are "Major Pharmacy Benefits Manager".

The follow up requested information is that they have a blackout period from October 15-February 1. These blackout periods represent annual enrollment in benefits and when companies subscriber to new or modified plans. Unsurprisingly, this is their busiest time of the year. 

The certificates are:
67445bd22255feaedeeb9791d88d60f8	https://crt.sh/?id=15806036
52e74dc14d0c6c76f68e62e575964aba	https://crt.sh/?id=15806037
06095344b72bbabd6cd10f5dbdc688e9	https://crt.sh/?id=15944127
7c0c3ddb652391a7268202bfd4a91e38	https://crt.sh/?id=16158275
192c2961a3f7b0450aaa8c6eaf125302	https://crt.sh/?id=18018590
2aa5f189cbe698a69c5e32504a8a6680	https://crt.sh/?id=18019190
109248039b4f476c7115d86531fe3e57	https://crt.sh/?id=18019888
0456341a964334f750f4e792a3fb8f77	https://crt.sh/?id=18021060
461bfe9cd2fac2cea23ab8fd9d096cd0	https://crt.sh/?id=18020962
01834d35d3d7a5a406ead082774d6e63	https://crt.sh/?id=18022527
505be82a14f8d400157872139643b2b0	https://crt.sh/?id=18021658
11ea6f4edfafc8c6248f8f487e109a5b	https://crt.sh/?id=18022848
65f2eeedfc9c7d0854c83e349152abfa	https://crt.sh/?id=18023281
10f082fe9bcf93ea0c0a4fb223ae1294	https://crt.sh/?id=18023904
3f9c4fdc0060720d9ee2042007f94c4a	https://crt.sh/?id=18024039
208e7aff0247c2887a6d4ef7d1b400b6	https://crt.sh/?id=18024708
35faff98f4864aeb256b23012bdfb770	https://crt.sh/?id=18024575
359e30c3cd5387dd9b7f90b51a8b9346	https://crt.sh/?id=18024892
59e9ee5086b2f07f3d1b3405b5a75c00	https://crt.sh/?id=18025126
18ab5f52f789b12b765fc9d9aa18e672	https://crt.sh/?id=18025117
56dcb64ea65b24d8c4f013fe4a98aa41	https://crt.sh/?id=18025340
528dd479144840d26c5c75a9f97881fc	https://crt.sh/?id=18025170
4d3ea144e9924dc06828ab23f11fef19	https://crt.sh/?id=18025443
078c09fe1b413359d94b2ab4d90edeb5	https://crt.sh/?id=18025544
789345552b410cc3db6ae77b1b1d9995	https://crt.sh/?id=18025397
34f43bbf33279aa5da82d5445f8c4c5f	https://crt.sh/?id=18025637
354378848975c82a4763983d6db673a7	https://crt.sh/?id=18025585
5ca6b9b0889c2e08a1a9dea5e9ae4a62	https://crt.sh/?id=18025807
38950e698899f45eaa2ff57f92b6edd9	https://crt.sh/?id=18025911
023cb77924e1c2cead3d3cf5d25aeed6	https://crt.sh/?id=18026104
c9528e411e373d48d373ac5b5434a7	https://crt.sh/?id=18025850
3eed5acf9c5103b57ef4d05bfc251a94	https://crt.sh/?id=18026034
3705e4e7ff18251a267aa32743e8ec24	https://crt.sh/?id=18026229
4e6d929297f80203c02bdace9a9b60eb	https://crt.sh/?id=18026355
5db909c5ff1c8193a1436839c427aa8c	https://crt.sh/?id=18026404
15370808309e7c45220c6d090d7265cb	https://crt.sh/?id=18026511
05a78f6a1d2ad92039cf3421f7021ba1	https://crt.sh/?id=18026588
415332ddb7633cfbd759df558773cf40	https://crt.sh/?id=18026471
48eb0d28b952ef01e01afa03b68bd9cc	https://crt.sh/?id=18026649
6b77bf5e07357ad2622ea4db7f7a6839	https://crt.sh/?id=18026700
3e27dd272f9c3002ba8ffeee6f0419ae	https://crt.sh/?id=18026820
62f829f2482d7eb302257f015c128427	https://crt.sh/?id=18027045
24d6476449e58913d99d409e71ffd3bd	https://crt.sh/?id=18027019
5f7792309472a8c0ca9afa954ec8c979	https://crt.sh/?id=18027037
7f3e176b7469e58039fe62b983a7e289	https://crt.sh/?id=18026987
451ebbb3e3f50c9dbb44ec4c0e43a457	https://crt.sh/?id=18027105
758db81306e480a7b941bff69154a024	https://crt.sh/?id=18027060
650579d4600b3d412e4a7ff4d9f9ebaf	https://crt.sh/?id=18027084
7f46303e73845014e03d8b0a32db1f15	https://crt.sh/?id=18027257
0cd76f731107709276eed07b39211aea	https://crt.sh/?id=18027380
2f8198481cdcd0858901a0887dc3a54a	https://crt.sh/?id=18027440
424e2db9852f42e3aa763c242d347e29	https://crt.sh/?id=18027493
608d8024cfa04819d536786f818f74c8	https://crt.sh/?id=18027449
47a0be5dded051a86cf435fcca27e181	https://crt.sh/?id=18027383
1e0ca540a08598f180e21143d8db790f	https://crt.sh/?id=18027471
68b47788707a26d77ab8628da448d453	https://crt.sh/?id=18027390
37611be416d736dcda41800d5e67558e	https://crt.sh/?id=18027569
4fe3ceaa2c9dc8632e4f6427d790910b	https://crt.sh/?id=18028274
7b800fb40f6ac9bb4c172e18b459d118	https://crt.sh/?id=18028275
47bb9032e90d25ee2afcfda16fea3bd4	https://crt.sh/?id=18028428
5c21ea9a8c08974d555655deb50b3e31	https://crt.sh/?id=18028538
4e5a7489a9d0a015994c14cfff5e645c	https://crt.sh/?id=18028437
1255a82ad9bbfda11b2cee1147d61e6a	https://crt.sh/?id=18028451
49b36013bd6c3d08577ae9814ac3beee	https://crt.sh/?id=18028458
13dd5d79c44cdb00b93df43dc65f86fc	https://crt.sh/?id=18028652
6a094d13a2e3440d64d6dfac638d57ac	https://crt.sh/?id=18028655
71c7885057e40f129811fb1fcefd2097	https://crt.sh/?id=18028662
74a7b4177ba242fd7338e9a4a1df5890	https://crt.sh/?id=18028665
5e25ed875293905babc83843802553af	https://crt.sh/?id=18028756
2a685431a4699784af78b363995212b5	https://crt.sh/?id=18028755
69aaa9cc2524d34bb52210005ae3e8a4	https://crt.sh/?id=18028771
2b7febfc0502efdc110559d5ef554ffc	https://crt.sh/?id=18028773
19bf71d78a2f97e68ae6191588868f9e	https://crt.sh/?id=18028796
7a71ceb77643f7e75ac89397be002b7b	https://crt.sh/?id=18028871
2136a13c3a31c48c72764ae22bf6dea4	https://crt.sh/?id=18028881
2a57660063f8110ae0dac5a7b78928f9	https://crt.sh/?id=18028993
5962a42b5b9770ae8b7625629075695b	https://crt.sh/?id=18029126
37c3592d9423087e87bb5c0a29c2c7b3	https://crt.sh/?id=18029218
532ee437dc15f2ac37c92504d9989098	https://crt.sh/?id=18029402
08ee00735878902bd4f77c21f727bd35	https://crt.sh/?id=18029515
06d22c048d6ea043c9b660fd73b3c7b5	https://crt.sh/?id=18030396
327a077bfeb9e215cc3acf42e4e291d4	https://crt.sh/?id=18987751
6f7580f1f3e2e58480aea57f42152eec	https://crt.sh/?id=19618950
3c1e25aeabd5ae68b929af5196beb923	https://crt.sh/?id=19618982
0f42e137fb0c4da96e7dc6c4d7150ad8	https://crt.sh/?id=19618981
696399909917b2b75672dec65c184f70	https://crt.sh/?id=19619016
39c29e22e167afa0417474f68298f52f	https://crt.sh/?id=20294817
06d01e058f5fd2d56fdc43ed320bdff1	https://crt.sh/?id=20585902
057f5449753f12145517f376036f4636	https://crt.sh/?id=21263756
760cb1857651511e948ba74187d26604	https://crt.sh/?id=21456231
44f55d976e480c88ed0cfd0e04f6dcea	https://crt.sh/?id=21456233
737a8c6c7b63a1c9554c5d6e2778fc29	https://crt.sh/?id=21456236
129daeb5cf820ac220395f3c52fd52f2	https://crt.sh/?id=21566758
4e914db5203f5071a4da72e5fa59b094	https://crt.sh/?id=21566772
6f892ae9617a5c79844025f1a8eb532d	https://crt.sh/?id=21566773
4d10228dd42b19aa8a11e9a9d61a5fb7	https://crt.sh/?id=21566777
3757fb14ddad6d25525c87c40d76015f	https://crt.sh/?id=21566778
2a29878d3e2ca68935da158c621cf5c0	https://crt.sh/?id=21566788
44f19a5475f3d549258ed47dba8142f2	https://crt.sh/?id=21566789
35d149f4861b478c321da4b3693e2e43	https://crt.sh/?id=21566807
715db6947d30c212df34513c148c4c4f	https://crt.sh/?id=21660987
4399147ee0ca3b135bf0f94b4ace3659	https://crt.sh/?id=23482299
3db2026ebe667acaa6b9194f966ec102	https://crt.sh/?id=23482276
1a3f0e2a0e3b5d234f119c9bfc1cfc50	https://crt.sh/?id=23482300
2dcc82fb72aa61186b91ba0825889c91	https://crt.sh/?id=23482291
336057c5dba7013dbf1672070d273a6a	https://crt.sh/?id=23482308
65338f499b41b56d3ecc6073c7253e3f	https://crt.sh/?id=23482273
208ae33d17719d2d1b5134eabe5ddc97	https://crt.sh/?id=23482340
18fb150aaa0753ff56224fcf73bfcb28	https://crt.sh/?id=23482332
07a8a915a6ae2606d1ece60c54a5f7f3	https://crt.sh/?id=24036891
1fbf0a7f4741b8f37207ba4437cb8c80	https://crt.sh/?id=24188280
50a067bf8aef8c3e36cc58c63286a0d5	https://crt.sh/?id=24982549
654844b4c0b4547c706308714b3ca381	https://crt.sh/?id=25074249
2f701715ba054bdeb91e6b80c46fb314	https://crt.sh/?id=31225124
316e8795cacb37c15e4c8e24dffe107c	https://crt.sh/?id=31225220
5ade3b6d766679e47806bcff00a07f45	https://crt.sh/?id=31306095
6f1b99ece5ef6dde2e364a906818adfd	https://crt.sh/?id=31306235
5320aea023233e0a1a4d7bd8157a1a88	https://crt.sh/?id=31306396
709313236e7cb5e42497021506cd9b65	https://crt.sh/?id=31306498
6dead098368b47908e121860d56ffacd	https://crt.sh/?id=31306511
7eec5c22379bdfb7b886f81ce6d56a07	https://crt.sh/?id=31306808
2508d668c975efd994a3c55569a75e37	https://crt.sh/?id=31307248
5b963a5dbeab8f1cb4e828a746a0c497	https://crt.sh/?id=31307367
541574545a4bfc46355e65b91d4235a7	https://crt.sh/?id=31307504
5dbedeec13f61a7f121a0ced00fa3983	https://crt.sh/?id=31307505
5ad5c7a93ad953378e8d78a3cce30080	https://crt.sh/?id=31307507
313170bda9d8fe2fdda27de2c7093183	https://crt.sh/?id=31307534
7b308b5e383c207366a2d53d11f2c1bf	https://crt.sh/?id=31307539
66db4bc46e927c46da2d8d8ff9fa19e5	https://crt.sh/?id=31307543
3b2a646f852e0d72d9199010bd4c2b23	https://crt.sh/?id=31307544
70272fa465e75a78a7f3621cd50fc654	https://crt.sh/?id=31307545
53b9737f3327c8c8558a445c5a360c91	https://crt.sh/?id=31307546
2c8bbae04bd04c9b9dce83d8edad4c5b	https://crt.sh/?id=31307552
25ac1c53f225b792999922b806efefcd	https://crt.sh/?id=31307553
662bc46e17bb68f8f027b98665968aff	https://crt.sh/?id=31307556
cab5a87c7880107a8266bc917a7d1c	https://crt.sh/?id=31307568
3c4bd3520206898b1563da5daa202d33	https://crt.sh/?id=31307567
17deaa2a59183831fe2e6e39bca30bd4	https://crt.sh/?id=31307587
29916fdac34027768efed01b02739da0	https://crt.sh/?id=31307586
34c9307ea175829b571094931a652cbc	https://crt.sh/?id=31307594
043a410a42c94bc7942bcc8a11cf65d7	https://crt.sh/?id=31307595
41010916c1ea4e5134530ea0d508e530	https://crt.sh/?id=31307608
50f42a1b1a9b5b409d332930f68c01cc	https://crt.sh/?id=31307612
492b85a1447f21f854dba859b5d9e81a	https://crt.sh/?id=31307613
0a7f2d8e480a5e93d8e2e359c5b0ef32	https://crt.sh/?id=31307614
5aa127f343105a3eff39def6db3b4a7d	https://crt.sh/?id=31307624
0eb21717a8a3a3d932b7e238e0246750	https://crt.sh/?id=31307632
25fa9d36a8d2235e59de794e68c1bf1f	https://crt.sh/?id=31307633
4ad9d938e61a8011c4633fab89bff0bf	https://crt.sh/?id=31307648
3ed7cc00cedc36e45760e748fe1f2ed3	https://crt.sh/?id=31307656
57bc987edb831fd35588bdc1ec9322a6	https://crt.sh/?id=31307657
401971c410b47542b46ed0f8d5161d50	https://crt.sh/?id=31307670
7a39efbc0ee3213edb561ff1947fe414	https://crt.sh/?id=31307705
7027617d41ee70f7638025238f501cf7	https://crt.sh/?id=31307759
31a38b009dff5eeaf2ad902307d3de71	https://crt.sh/?id=31307747
5192972cd1bfd7bb6e177a35c6615987	https://crt.sh/?id=31307749
7aabd23e80be9cf2cdbbf977a4129080	https://crt.sh/?id=31307765
4e273056bd077b6a94c0243bfe1604b8	https://crt.sh/?id=31307772
1c149b6faa304f639e54ac150a604484	https://crt.sh/?id=31307786
2b38cccdbbf2bbb3f87250a2be651159	https://crt.sh/?id=31307810
075fb745bf1942bb2566d8d30a233a51	https://crt.sh/?id=35419975
584a74e23c92cbf8c319f86a8ac8a92c	https://crt.sh/?id=35419905
0a043b332f0a197c39250f3dc13c9111	https://crt.sh/?id=35420082
2406f92bb820180d00f18f4d5d557305	https://crt.sh/?id=35419982
0c75895c20fb58d7b111114652300903	https://crt.sh/?id=35420048
3c736286ba00c7ed2f1894e05519d070	https://crt.sh/?id=35420075
5281acb3554268f76dd036d280762bf4	https://crt.sh/?id=35420137
0830cd3fc1d1eceb48fcbe90b7fea6bd	https://crt.sh/?id=35420065
2078e58004ec88dcec69bb665b47c0c4	https://crt.sh/?id=35420275
1ab475d89c0019e2af875d675a4b94ce	https://crt.sh/?id=35420265
7971fec52f58599a255f9405734ba537	https://crt.sh/?id=35420298
5364cc6084e5705517db081e7aa0042e	https://crt.sh/?id=41001122
1f74bf6a2dc175632382b612a9cef5ea	https://crt.sh/?id=41001120
3703726629184df0b7be062c5e21e1cd	https://crt.sh/?id=41001119
58f864b60e9f020a114e9ca3695c83fe	https://crt.sh/?id=41001118
641767db2e2cc630cc6b70db6e62447f	https://crt.sh/?id=41744438
443cb09d2eb85da60fb67b92a3666010	https://crt.sh/?id=46281655
2638b31d24c3344ff73d9086b3007ccd	https://crt.sh/?id=48158433
258a0f4da249511f7c99e39c0d7823e1	https://crt.sh/?id=48173804
14c467efa61467f73a53ed3794797269	https://crt.sh/?id=48315924
3a0799eb03b6cd56dcf60d5a46e504a1	https://crt.sh/?id=48440200
46411cd30d346cf55fc758b2c64f3679	https://crt.sh/?id=48634112
6bc46cc415d2070b1d40a39b08670f25	https://crt.sh/?id=50220239
03ec3e7858aca04b6b3c3c3d97900520	https://crt.sh/?id=50232662
7509661a48b93f04e593c8d30ee03bdc	https://crt.sh/?id=56035640
02bc7a682237a2e3a4026f1db4adb243	https://crt.sh/?id=56035639
4a1ab346e4f89b7818b5e60409fac89c	https://crt.sh/?id=56035705
0a95861c600ce536b7086639a01cda5b	https://crt.sh/?id=56035866
1e23b75463d5d5dd767b4fd46cfb2206	https://crt.sh/?id=56035879
3957cfb57b18eb8f64986a896cf12137	https://crt.sh/?id=56376628
3cb1abc5fc5d2f5cff49666598610b69	https://crt.sh/?id=56376635
3ce105ebdf4dbe1e91ab2ea5db1cc445	https://crt.sh/?id=56376520
0c322bb30450c82ca966873a11f7ea1a	https://crt.sh/?id=56376627
50f18cba53fe05733527247d2d2471e1	https://crt.sh/?id=56981693
6ac1593b0f3211fe39700d58b04e66e3	https://crt.sh/?id=58720767
4b0f7f17c4b73189b8828b86d4a746ac	https://crt.sh/?id=58734196
57971d58cc21a58e588d435eeba21ae2	https://crt.sh/?id=59125817
5a3e1228c378f41a0828f755d28f7cd7	https://crt.sh/?id=59255553
2ee34de4c3f7f8e2c46960cbb625c1cd	https://crt.sh/?id=59255782
40d8a34e136cc11e6928f39194916b2f	https://crt.sh/?id=59255796
03a30102b5a05993146ac9b0851129fb	https://crt.sh/?id=59255774
17b0c912db2f4cb4c28bf3df95b279a6	https://crt.sh/?id=59255785
16295f692611fe3c80a512674713c581	https://crt.sh/?id=59255786
265ea3e64a52ca56be6b3b03275c0636	https://crt.sh/?id=73048232
60f5ecbb401219193dc778572bc60b26	https://crt.sh/?id=76770006
127276265b24a2c85cacac66af3b1e9b	https://crt.sh/?id=76770016
4c079636cdac89d76ac98fff7a08f274	https://crt.sh/?id=76802781
0c9d4ee72e917ba3a6f4e1b7096c37e0	https://crt.sh/?id=88203012
2f570eb37e62275b5c69750a4050dc49	https://crt.sh/?id=98104332
7c494ff7277d776dabf68916820132a1	https://crt.sh/?id=108364192
3a076b403942ba6cce4df0d653add0da	https://crt.sh/?id=108364188
23ecb16d972a3e8a701ee7796563c0b0	https://crt.sh/?id=108364191
582a3d0dc4b86282464d69b3781cbba7	https://crt.sh/?id=108364190
20a44e6155e8bd4fe80ccdbdd08648c0	https://crt.sh/?id=108364193
52832f46ad3752dfb31b0bbea1791feb	https://crt.sh/?id=108364194
480dc3be159671517e0a73f9f07839fe	https://crt.sh/?id=118423082
3dc26e72014d72fc0341fe780b4b0855	https://crt.sh/?id=124407871
4bb55ea977613503bf73552cf8169061	https://crt.sh/?id=124407855
2870303b9b13b53d533f543adfcf7c89	https://crt.sh/?id=124407865
5dedcd12fa9c7fa6fd20cf13adaf7abb	https://crt.sh/?id=124407866
229c29ae54ebc61cbe2c026d22836d5f	https://crt.sh/?id=124720612
045b5e8ddc1741090c98c97036187bb7	https://crt.sh/?id=124713413
6465423564731be15f9eadabb1eb1702	https://crt.sh/?id=154896584
7c08d8f80d5010618151fc5f038c92a8	https://crt.sh/?id=154896586
4983e1c6122e4b0ce8dc3c1011d23a23	https://crt.sh/?id=158715746
3b7264ca13c11cb2d4a9225160040ab1	https://crt.sh/?id=159320641
1faf5870dcaad315efb2e0dfdbc1ead6	https://crt.sh/?id=167855126
29a5ec146c09dc4a7f42e707f9684b52	https://crt.sh/?id=167883854
0c71b3cff47b4a5cdfe021b42225f450	https://crt.sh/?id=167883855
4e1967a9b2adebf0549faeaa5938e054	https://crt.sh/?id=170429183
6791802e7680cbf3d180a9b1764f98a6	https://crt.sh/?id=172742708
33cc35c2f9fea3ad7439f283ee669573	https://crt.sh/?id=188559470
2ed73b584748cda244649180fb6d4f11	https://crt.sh/?id=188559447
7ced6c4f6dd1a1330a3643d33b671853	https://crt.sh/?id=188559453
4b1f9b27e77ed51d20461eec14d84cbd	https://crt.sh/?id=188559473
76254beb5bf1c0ffa58c4e61ca02660a	https://crt.sh/?id=192546540
400e3035ab3ff071bcf8c7fd5a407887	https://crt.sh/?id=200748333
1a90f10f1b5c583784e3ce95f9cd2236	https://crt.sh/?id=201316075
254dc96dd44d94136c3ba1a593397ad0	https://crt.sh/?id=205723804
2c967ae6765e7eebe896bfaaf00e82e9	https://crt.sh/?id=208943705
59b92d578038ea2dc8a6b05cb74dbd5d	https://crt.sh/?id=210092209
1c77295159063ca78ae4b73b094185c3	https://crt.sh/?id=210185237
1bf79e9c7c54951c11de1ce9af0a490c	https://crt.sh/?id=218375953
12c3fd38a2e667b8fbb39049b5207e7d	https://crt.sh/?id=218375970
6e12d284f343cdc89dfff68408ce7e14	https://crt.sh/?id=218375988
471ee0cd8fb1e493ebc416e2728cfb27	https://crt.sh/?id=218375942
1d969cac9738d57ad6e57aadadbc12f8	https://crt.sh/?id=218375944
64894fdeeb1ece7ce26dc84f958f7538	https://crt.sh/?id=218375946
747dba78367795be9aecd79b857f3744	https://crt.sh/?id=218375948
23c899c42b49ae18cc543b78a9e4d3ff	https://crt.sh/?id=218375949
6a76b57a5fe2dca798d4a9b35b0e8988	https://crt.sh/?id=218375950
7bcad887fa089f8a9c6ba2dbac6ef63f	https://crt.sh/?id=218375951
39823debffc92acb9efc8ef1471b32db	https://crt.sh/?id=218375969
734a10edaa9a58008477f3c73a5b63ed	https://crt.sh/?id=218375968
1f24659cc341f9c830613cdb38d91371	https://crt.sh/?id=218492381
35853d718aadf4feedfbb2d642dd59af	https://crt.sh/?id=218492535
70f83e8c31f9887f6e12b965682ce296	https://crt.sh/?id=218492815
57694dc34ad8bd4bc0485d9fbdae104e	https://crt.sh/?id=218492966
5fd705d3b1420d3e0b2a2dff99e6ef96	https://crt.sh/?id=218493013
3c5f2f57d43ddbc1516c19ec1362429d	https://crt.sh/?id=218492250
2679d9bfd80a8b37891ed1521592ee2f	https://crt.sh/?id=218492379
16921ff4305b95d11a5980d754fc4878	https://crt.sh/?id=218492537
482ddb654c974e8da8557ecf25e62070	https://crt.sh/?id=218492651
67fab84b2cb0069e88101a6cab4e1f98	https://crt.sh/?id=218492703
32c8848c845184e833481383e14b1708	https://crt.sh/?id=218492814
57b59052fa4bdcff71c43dbd73971afd	https://crt.sh/?id=218492831
1745c1882d0b0bb7b5ff946b4eb91c41	https://crt.sh/?id=218493014
61ce9d827950e1149a933b250f82c043	https://crt.sh/?id=218493023
3d87e72152722c1da23ff66bea707cda	https://crt.sh/?id=218928133
680f63d8b6ec593d02593c762687edc4	https://crt.sh/?id=220939016
5f039a008f89490123e855808ad8b151	https://crt.sh/?id=220939030
7b05b2ac8ef737758bf32074685b7020	https://crt.sh/?id=224763330
36cdb9c5c6b93f1e8320c27786b90f08	https://crt.sh/?id=224763374
5842da861c593795b738c30bd4b45b07	https://crt.sh/?id=224763186
62d124a1095360fb75e7a7e97d6b0dbb	https://crt.sh/?id=224763220
260087a2de99ababf366c84263ae572e	https://crt.sh/?id=224763221
0683992795efac4716b142822f14a859	https://crt.sh/?id=224763278
17a5532698727ed15c3b2a83b7517f63	https://crt.sh/?id=224763277
608d23d4983e76f49112244593f073dd	https://crt.sh/?id=224763287
04282c05691ecab84660902a2947f6af	https://crt.sh/?id=224763288
77c0256fe0cd5d977667868ed667a545	https://crt.sh/?id=224763332
6c4d3770e0d112f509c7a638f5b746e8	https://crt.sh/?id=224763334
430acc5e769afe076cc740f38b5f0757	https://crt.sh/?id=224763345
082ba63e14a1d548149bb726213c94ef	https://crt.sh/?id=224763370
4bc5f24f6adf048c754fc12f8c54920f	https://crt.sh/?id=224763371
17e7950c1abc30425dcd4ee0b8f29e43	https://crt.sh/?id=224763383
35003fa133e252ad8196c795efd28e44	https://crt.sh/?id=224763410
24ad633566b4af463447a0aa65c26abc	https://crt.sh/?id=224763411
61e39f4ce34d65ad7760dcb2192cebc8	https://crt.sh/?id=224763417
36e803210cbe79bb443c88e184d84a86	https://crt.sh/?id=232961893
2bc902616764f4846b675feab4263588	https://crt.sh/?id=232961603
5bb15d213c1910060b32277b7e5ad07a	https://crt.sh/?id=232961599
3b7cd9ea99c805912504749c7143b99c	https://crt.sh/?id=253368616
7e8546974b82685b39c62631d6237199	https://crt.sh/?id=259443531
0e6ef1621eab0f10c63ef2aaebab5d2d	https://crt.sh/?id=272911464
02ba28080f341cb53a7b368026f64641	https://crt.sh/?id=296922495
0d6177e212ceade6333a602f3d474253	https://crt.sh/?id=296922499
0a040a32a71c7ff64dde38e626d4f4d3	https://crt.sh/?id=296922510
05e69eebe7b36ba6ca12c6aba6131d88	https://crt.sh/?id=296922553
06fc5035a117a150b593389bde9baeb5	https://crt.sh/?id=296922578
0d8cc159f93e9b5c8368d22c4d71edc1	https://crt.sh/?id=296922580
02b4f3eeddb1e4e1cfff5372537d1870	https://crt.sh/?id=296922589
0ab674e553d44ef4250d1b56fca31373	https://crt.sh/?id=296948101
0399e96657049a930eaa6c714a5e1bdd	https://crt.sh/?id=296922608
0705fe7b1b2194fdb0b8b3dfa585734f	https://crt.sh/?id=296922610
013548f8e481507535f11988a58b3a60	https://crt.sh/?id=296922661
0b958ab3ec2018d144a0b0e215fc598a	https://crt.sh/?id=296922666
03ffe1e33f0990b6da339604e3daac5f	https://crt.sh/?id=296922687
0eaf0a5c2eef0ac0c1a4bfc271ddd596	https://crt.sh/?id=296922689
06e56573d2a3a3e9bd363f66ec0dce51	https://crt.sh/?id=296922691
0b35f4ba90c55425909a805f7192ec91	https://crt.sh/?id=296922695
05c33e5bcadc5db849e990b040a56c33	https://crt.sh/?id=296922697
06bdec0208f2facb9c610ea269d8fa42	https://crt.sh/?id=296922702
0d37a84d85d1c689ac47716cf8e03b2a	https://crt.sh/?id=296926712
0b458a46a5a4bbd95e01ff83bcfd642f	https://crt.sh/?id=296922391
0e1cf285916ea84195c0929c03571eb3	https://crt.sh/?id=296922590
04d03f8a4b8ef8461c501b099c276a5f	https://crt.sh/?id=296922700
0c7a378f07548d2d89ae6c3a29f71678	https://crt.sh/?id=296922321
0d28e3934648558319cbc59109948118	https://crt.sh/?id=296946993
0c023c44bcc3139c0c772531de4827c9	https://crt.sh/?id=296922366
08bcdce91ffa44c25899e011424f785e	https://crt.sh/?id=296922419
0fed701d9af3b6cb4f7fa1bfcbf5a915	https://crt.sh/?id=296922458
06c44292eb3d2b88b2c263964aef3629	https://crt.sh/?id=296922493
07ad70e166d6796781243188bb3e2027	https://crt.sh/?id=296922512
0a5a44b47b402efac8ed81bad92e8afd	https://crt.sh/?id=296922574
0be473b7c40bae0bfb1b1154f6a82d6f	https://crt.sh/?id=296922669
0c3e64c8af488f3dc1c32a7bb1f97607	https://crt.sh/?id=296922364
0c3a59be6409201adbf919479d1e931c	https://crt.sh/?id=296922365
0a42b4f147ae7291df61692278799308	https://crt.sh/?id=296922414
01fedfc6b3889aadce442db9125ed8e1	https://crt.sh/?id=296922551
09c9def4933ae6e1abb29f6c7b7aeb60	https://crt.sh/?id=306059030
0be630019c642b8b9e9fbbb2f3e44fdd	https://crt.sh/?id=311884656
09e82e26b9e3e1b18bb2951c016e793b	https://crt.sh/?id=311884679
0120f6a47387cbc91eb50817a2b985cf	https://crt.sh/?id=311891010
04396ee112fb3c6c35cfd47fe8d8155b	https://crt.sh/?id=313983791
0acb5eeb3c87c84f548beeb018f09467	https://crt.sh/?id=318645732
0759925e3dbd229f7555ff549ce7e8fb	https://crt.sh/?id=318696838
02a4563f97eedce9eb74dd3cd2c09cec	https://crt.sh/?id=323481848
075a779b38067c8cacebd1ef57871c01	https://crt.sh/?id=325895256
0c2f5fe88424cb44fe8513ea60796a77	https://crt.sh/?id=338299100
0a0f192696dda61a6f6c1958be8964a7	https://crt.sh/?id=355745155
07e4cc0fee62fb6839d58160d2ecbfa0	https://crt.sh/?id=356136781
0ef46d310ba28055cbe3654ec3e703e6	https://crt.sh/?id=356606368
05b769f47fb313283c34fe2afcf69be3	https://crt.sh/?id=368994445
03fcf5adebf6f816b0c7124dabd380e3	https://crt.sh/?id=438172292
0ac092a0d7c228c55d0c3d9da0be81c6	https://crt.sh/?id=480511602
0a9b2808c88b36ce15e70b39fc1c8b95	https://crt.sh/?id=493519562
0242480a94e6426a955e0ed7fcfdbc74	https://crt.sh/?id=493519670
056abffc522b25954404d1cfcd434a55	https://crt.sh/?id=493520462
0ad9cc3ed799fd00ed17f23ea20203af	https://crt.sh/?id=508222437
0ac25abea4253a9754bfab6fb941f728	https://crt.sh/?id=508222552
0bf9a37ff30c90a310cc59fa9461c140	https://crt.sh/?id=508221860
070256e32574a9a22d4121ad5b94218a	https://crt.sh/?id=509869387
08c97a407448bb480b8e9a431994393b	https://crt.sh/?id=509868916
0248a134a422c14766050b281df7a148	https://crt.sh/?id=509868921
06a6b3079b07a03a5fd5e3d02c438418	https://crt.sh/?id=511816320
0123865ab8fc8f6bad283d53d1395bf0	https://crt.sh/?id=511816328
076765fbec64d549f9395a8bbbb7be18	https://crt.sh/?id=511816322
05d10c5d560dda8e9b8af609c49cd375	https://crt.sh/?id=526224863
032df73e687e5f0755564eb142d1cc47	https://crt.sh/?id=606681579
0399644eee168145b1b942d912f891b8	https://crt.sh/?id=615930676
0ff900890d42a817985187e24c11e945	https://crt.sh/?id=615931252
0d72725ddb10fa4e1cd6a1ae2aad6b7c	https://crt.sh/?id=615931257
06413d80733298590d976786f462f540	https://crt.sh/?id=627188575
01b316b0eea87c561ee5b18c89ea8e0f	https://crt.sh/?id=635938547
06927c072fdfa4e7ceac78db14fff858	https://crt.sh/?id=667182614
0a231c25b1f2f13f9038e3caa42fdf66	https://crt.sh/?id=709938975
049f6ea294c2611c99a626f88ea0f748	https://crt.sh/?id=672703418
07ec282ab6036200698111da572690c7	https://crt.sh/?id=675070363
07f2f73e861d22a4db361444d8dccfce	https://crt.sh/?id=675070320
0db83a823b5d2c6b00fb29e93cfa75f1	https://crt.sh/?id=684581732
0887b6b1a28a7ccc055dd6b53bc09bd4	https://crt.sh/?id=684581651
064e8f1b3ff1e70290e5e37dbdd6b217	https://crt.sh/?id=684581806
0a29320a4c77327522aeb7e8b94194e7	https://crt.sh/?id=698005053
071272ad74789d6fc0ce8ab8fe4dc17f	https://crt.sh/?id=698171373
05234d7778ab62f8a2457a88781f2df5	https://crt.sh/?id=700451004
0321fcedf95a2e5c9287a6eccfd2d4a0	https://crt.sh/?id=719012435
03e27ae3449dc47049bdefe741748c7e	https://crt.sh/?id=722324245
08bfa3b069972af7769c1df7c470e9f0	https://crt.sh/?id=722326218
070e0c6551eda173434b31c656311776	https://crt.sh/?id=722323579
0e137ff794deaa106335da82f2b3a6e3	https://crt.sh/?id=722323863
04f65e9127f8e5890ba303741036873a	https://crt.sh/?id=722115663
0a5ce3d1c77c7c3c15f2b5965e602328	https://crt.sh/?id=722324654
015c6f3635ced5673a329490e4f179cf	https://crt.sh/?id=722326223
09d538ea8912474a86bef6452dbf3e46	https://crt.sh/?id=722326192
021ed11e330d22d8467e05c9e6470085	https://crt.sh/?id=722326706
0ef1cf22b26be22597daa2362de5f3ed	https://crt.sh/?id=722326195
057090f2190b6547651dd465e1bfa0cb	https://crt.sh/?id=724663338
019b9b7f84aa275e88ca626997791ed6	https://crt.sh/?id=724514264
09cee89425abdac209020b42fcb4f375	https://crt.sh/?id=735191141
0968f81dd996925023e207848718212c	https://crt.sh/?id=735191941
0f79cd1cba4d065b31b59fe3a5953d70	https://crt.sh/?id=735191992
05c64ca1094212e8036cbf7227216652	https://crt.sh/?id=736911672
0d3e7c10d6f6511ec4aae66dc859d4cd	https://crt.sh/?id=748219103
013441fe9fe1f217d1bbca4051b4a20a	https://crt.sh/?id=767703657
08c14e4350e79f31824806baa832878e	https://crt.sh/?id=767902631
05d3a78a4f0967d213312ad0bcf52c78	https://crt.sh/?id=767902702
081c0b3225c210a174af16c46cfec900	https://crt.sh/?id=767704309
0afbe8673337e99eb975a56b4eb1cc87	https://crt.sh/?id=767704365
0d55eab6c6296a684d3443d1a8b95a57	https://crt.sh/?id=767903024
0316c5b129d12170177a12111af98ab0	https://crt.sh/?id=767903178
08581317a3fedbdeb0786c29830857c5	https://crt.sh/?id=767705252
0d1f1a7aa1487688d5deab9ba6497c2b	https://crt.sh/?id=767903213
099a2cd3d7e9c964a7cd068657ab3eb7	https://crt.sh/?id=767903196
03f61e406bc3b08cac346cafacf4e50e	https://crt.sh/?id=767704414
09f07c05f35970277a78e32620f6844c	https://crt.sh/?id=767903260
0dc6ff761a83a3e758ef750da7beb340	https://crt.sh/?id=767697565
03ef7b40babf23a794c0f1798e2cab9d	https://crt.sh/?id=767902849
04c6179eb1bad969f3895a25fdf5643b	https://crt.sh/?id=767903052
0a44fdf715320175cbeb87b057cc7c54	https://crt.sh/?id=767903244
05a095e944200df84c61fe3cf915ba40	https://crt.sh/?id=767903571
0b1ae5e3725cb852f9114979ed959b8b	https://crt.sh/?id=767903254


They plan on replacing all certificates by April 30th. They can't be replaced before then because of the code freeze and the risk of an outage.  Because these are critical part of the enrollment systems, replacing the certs requires internal full stack validation and coordination with the external partners and customers. Coordinating a replacement on this takes weeks because of the application testing required.

The systems use publicly trusted certificates because they are accessed by corporations everywhere to enroll employees in benefits and systems. Browser use is essential during these periods.

The 30 day certificates do not help because the code freeze doesn't permit certificate changes. The main difficulty is the external buyoff by the corporate partners and the testing required. Changing certificates and domains together takes about the same effort.
Jeremy,

Thanks for filing this. Unfortunately, there's still missing details, although hints of it are in the messages you've shared on the list.

For example, you mentioned "The actual revocation occurs sometime between Jan 15 and April 30"

For this set of certificates, it's necessary that we have a clearer understanding about what the migration plan looks like. Similarly, in analyzing what you present as the risks, you say 30 day certificates don't help because the code freeze doesn't permit certificate changes - but it's unclear how long that freeze lasts, when progress will begin, and how progress will be measured.

It sounds like you're saying that changing certificates takes as much work as changing the entire domain name - is that correct?

Concretely:
1) When does the code freeze end?
2) When do certificates start to:
  * Be replaced (e.g. with 30 day certificates)
  * Be rendered obsolete (e.g. due to domain changes or switching to wildcard certificates)
3) What are the progress milestones to expect
  * For example, "We expect that the majority will be replaced from February to March by renaming the host."
  * For example, "For those that renaming the host is difficult, we expect to transition to 30 day certificates."
  * For example, "We're working with the customer to get more concrete plans. We think roughly X, but will have a closer idea of what certificates are most problematic by Y."
Flags: needinfo?(jeremy.rowley)
Discussion is at https://groups.google.com/d/msg/mozilla.dev.security.policy/0oy4uTEVnus/pnywuWbmBwAJ
Assignee: wthayer → jeremy.rowley
Summary: Underscore character - Pharmacy company → DigiCert: Underscore character - Pharmacy company
Whiteboard: [ca-compliance]
Duplicate of this bug: 1515564
This is in response to Ryan's questions for clarification.

1) When does the code freeze end?
There are two freeze dates that are important.  1st, 10/15 through 2/1.  This is the Annual Enrollment Period for certain major health plans.  2nd,  12/1 through 2/1 this is the Welcome season for people to access their new or modified Pharmacy Benefits plans.  These are our absolute busiest volume times of the year, and are critical to our customers so they can successfully navigate they prescription benefits.

2) When do certificates start to:
* Be replaced (e.g. with 30 day certificates)
* Be rendered obsolete (e.g. due to domain changes or switching to wildcard certificates)

Certificates are starting to be replaced now, in the lower level environments (small subset of the total list).  Planning for the remaining is happening and will continue through January.  We will start swapping out the remaining certificates by February 15th and target completion of the certificate swaps by the end of March.

3) What are the progress milestones to expect

During our Code freezes, we can’t accept a risk to change out significant pieces of our technology. Replacing these certs requires not only internal full stack validation, but also coordination with the large population of external partners and customers.  That isn’t feasible to manage in the window that we have been given, especially since this is in the code freezes. Coordinating a change of this nature takes many weeks due to the number of the parties involved in the application testing.
(In reply to Brenda Bernal from comment #4)
> This is in response to Ryan's questions for clarification.
> 
> 1) When does the code freeze end?
> There are two freeze dates that are important.  1st, 10/15 through 2/1. 
> This is the Annual Enrollment Period for certain major health plans.  2nd, 
> 12/1 through 2/1 this is the Welcome season for people to access their new
> or modified Pharmacy Benefits plans.  These are our absolute busiest volume
> times of the year, and are critical to our customers so they can
> successfully navigate they prescription benefits.

Thanks for clarifying. To make sure I've got it summarized: There are two different freezes, both of which end on 2/1, correct?

> 
> 2) When do certificates start to:
> * Be replaced (e.g. with 30 day certificates)
> * Be rendered obsolete (e.g. due to domain changes or switching to wildcard
> certificates)
> 
> Certificates are starting to be replaced now, in the lower level
> environments (small subset of the total list).  Planning for the remaining
> is happening and will continue through January.  We will start swapping out
> the remaining certificates by February 15th and target completion of the
> certificate swaps by the end of March.

To clarify: The goal is to have existing certificates swapped with 30-day, underscore-carrying certificates by EOM March, is that correct?

> 3) What are the progress milestones to expect
> 
> During our Code freezes, we can’t accept a risk to change out significant
> pieces of our technology. Replacing these certs requires not only internal
> full stack validation, but also coordination with the large population of
> external partners and customers.  That isn’t feasible to manage in the
> window that we have been given, especially since this is in the code
> freezes. Coordinating a change of this nature takes many weeks due to the
> number of the parties involved in the application testing.

This didn't quite answer the question, but it looks like the previous answer provided many of these details, so I want to make sure I've got it summarized correctly:

- Now - 2019-01-30: Planning for migration for all existing certificates (to...?)
- 2019-02-01: Freeze is lifted
- 2019-02-15: Migration begins (to... 30 day certs? non-underscore hosts?)
- 2019-03-31: Migration complete
- 2019-04-01: No new underscore certificates are needed or will be issued

Is that right?

If so, I think the core questions are:
* Is this conflating changing the host name (which, understandably, can be more risky for an organization) with swapping the certificate to a 30 day certificate? That is, could the migration to shorter-lived certificates be completed independent of the name migration, and thus completed sooner? I'm wanting to confirm this was explored, and if it was ruled out, we've got it documented why it was ruled out.
* Could you explain a bit more about the two week gap in February between 02-01 and 02-15? It would seem like the migration could begin immediately, but perhaps I've misunderstood the timeline.
* Can you confirm that the expectation is that on-or-after 2019-04-01, no new underscore certificates are expected, as captured in SC12?
Flags: needinfo?(jeremy.rowley) → needinfo?(brenda.bernal)
Replying the follow-up questions from Ryan:

1) Correct, two different freezes, both of which end on 2/1.

2) The certificate swap will be for non-underscore certificates.

3) The timeline is correct with one clarification below:

- 2019-02-01: Freeze is lifted
- 2019-02-15: Migration begins to non-underscore
- 2019-03-31: Migration complete
- 2019-04-01: No new underscore certificates are needed or will be issued

Core questions responses:

* Is this conflating changing the host name (which, understandably, can be more
risky for an organization) with swapping the certificate to a 30 day
certificate? That is, could the migration to shorter-lived certificates be
completed independent of the name migration, and thus completed sooner? I'm
wanting to confirm this was explored, and if it was ruled out, we've got it
documented why it was ruled out. 

Based on our analysis, the effort requires the same due diligence and shakeout testing, so we are going to just move to the non-underscore hostnames and certs.

* Could you explain a bit more about the two week gap in February between 02-01
and 02-15? It would seem like the migration could begin immediately, but
perhaps I've misunderstood the timeline. 

The expectation is it will start between 2/1 and 2/15, the commitment is it will start by 2/15, based on schedule coordination across all the systems, partners, and customers.

* Can you confirm that the expectation is that on-or-after 2019-04-01, no new
underscore certificates are expected, as captured in SC12? 

Correct.
Flags: needinfo?(brenda.bernal)
(In reply to Brenda Bernal from comment #6)
> 2) The certificate swap will be for non-underscore certificates.
> <snip>
> Core questions responses:
> 
> > * Is this conflating changing the host name (which, understandably, can be
> > more risky for an organization) with swapping the certificate to a 30 day
> > certificate? That is, could the migration to shorter-lived certificates be
> > completed independent of the name migration, and thus completed sooner? I'm
> > wanting to confirm this was explored, and if it was ruled out, we've got it
> > documented why it was ruled out. 
> 
> Based on our analysis, the effort requires the same due diligence and
> shakeout testing, so we are going to just move to the non-underscore
> hostnames and certs.

Just to make sure it's captured, Wayne had posed a question on list specific to this that looked unanswered:

> I agree that more information is needed here. My hypothetical is that of a
> critical vulnerability in one of Organization One's systems being
> discovered on 16-Oct. Does Organization One hold off on patching until Feb?
> If not, what makes these certificates different? Why is so much
> coordination required if they are just used in browsers? Was a risk
> assessment performed to evaluate the possibility of replacing them during
> the freeze? Are routine changes permitted during the change? If so, why is
> a certificate replacement not a routine change?

I'm highlighting this, because it does sound like renaming the hosts (which wouldn't need to be completed until April 30) is being conflated with replacing the certificates (which SC12 sets at Jan 15). From the reply, it sounds like the view is that it is just as risky to replace certificates as it is to wholly rename hosts, which is both surprising and concerning, and I think something worth understanding more about.

From looking at these hosts in sampling (I have not plugged the whole set into a query/analytic engine), it seems they follow the pattern that was discussed leading up to the meeting in October; namely, that potentially renaming the hosts could be delayed much longer, through the use of wildcard certificates, which can be issued after April 1, still, and will then just depend on whether the client software support underscores for hostnames, which, presumably all platforms this is being used on does.

I think it's absolutely good to move away from such hostnames, to be clear, but in that risk assessment, it seems like that larger task/effort (of renaming hosts and updating references) is being conflated with what is meant to be 'simpler', namely, changing certificates.

I think Wayne can add any color to that question, but I did want to highlight it was still hanging out there on the list, and was specific to this ("Organization One").


On my side:

During the discussions of underscores and SC12, multiple requests were made to CAs to examine their systems and ensure any historic-but-still-valid underscore certificates (i.e. those issued before the CT transition date) were logged, to make sure that analysis properly considered and scoped the impact. From the remarks on the mailing list and this bug, it does appear that new certificates were recently logged, hence the delay for crt.sh links.

**1**) What steps has DigiCert taken to log its full corpus of underscore certificates (those requesting exception and those revoked)?
**2**) If no steps have been taken, when will they be taken?

I ask these questions, because it is clear that CVS Health (as Matt highlighted on the list, is clear from the O in the certificates) is and was DigiCert's largest customer of impact. This was discussed during and following the Shanghai F2F. This is captured https://cabforum.org/pipermail/servercert-wg/2018-October/000331.html , noting that outside of vIPtela (which used old Symantec roots), CVS was the largest/most impacted organization. 

Knowing the full corpus of certificates (not just CVS) that DigiCert has issued with underscores helps us have a concrete discussion about whether we're talking about a third of the misissued certs, or something less than that. The current request is, it seems, 412 certificates, which is a marked increase from even what was discussed. Understanding the cause of 139 certificates to be 'missing' from conversation - whether it was DigiCert that didn't log them or a flawed analysis on my part - helps further inform the risk.

**3**) Is it also fair to say that, looking at the corpus of certificates, CVS Health was a legacy customer of Symantec's that was acquired in the transition to DigiCert?

It looks like the transition of DigiCert issuing a larger number of underscore certificates begins around https://crt.sh/?id=272911464 , which aligns with the Symantec/DigiCert transition date. Based on the aforementioned threads, it seems this was a practice that was 10x more prevalent with Symantec than other CAs, which then caused an increase in DigiCert-related issuance following the integration and transition. I'm just wanting to confirm this analysis is correct, in the context of this request, since it seems to fit into the "How we got here" timeline.
Flags: needinfo?(brenda.bernal)
Sorry for the delay.

Re: Wayne's question:
The two are related because trying to get approvals to a replacement first, then a name change, then another certificate replacement is far longer and more difficult than changing everything at one. The slow part is not the updating, it's the testing by third parties and third party approvals using the services required to make the change. 

Re: Ryan's questions
We've identified all of the certificates but have logged all certificates that will be part of the incident report. The original bug shows all of the certificates where there will be an incident on Jan 15. We aren't planning on logging the rest because they will be revoked on Jan 15th.  The non-logged certificates are used only for server-to-server transactions and don't require trust in Google or Mozilla. 

The total corpus of certificates originally was about 2200. However, we've been reducing that number as we work with the customers to identify additional certificates that can be replaced prior to the date or where revocation won't impact use of the certificates. 

You are correct about legacy DigiCert vs. legacy Symantec. However, DigiCert did issue certs to underscore domains up until Oct 1. Verizon, for example, was legacy DigiCert. Now that I think about it, Verizon was probably the only legacy DigiCert customer on that list.
(In reply to Jeremy Rowley from comment #8)
> Sorry for the delay.
> 
> Re: Wayne's question:
> The two are related because trying to get approvals to a replacement first,
> then a name change, then another certificate replacement is far longer and
> more difficult than changing everything at one. The slow part is not the
> updating, it's the testing by third parties and third party approvals using
> the services required to make the change. 

I can't speak for Wayne, but it's not clear to me how this response answers those questions. There were specific examples given in the hypothetical, such as:

>> My hypothetical is that of a
>> critical vulnerability in one of Organization One's systems being
>> discovered on 16-Oct. Does Organization One hold off on patching until Feb?
>> If not, what makes these certificates different?

That's about replacing the certificates with shorter-lived certificates, not about renaming.

The problem is trying to put together a coherent picture of the problems, and the shorter answers aren't really helping put together a narrative that explains the timelines or the challenges. We're left trying to piece it together from the bits.

For example, from the timeline, we know that migration starts 02-15 and is expected to complete by 04-01 - meaning 6 weeks to both replace certificates and rename hosts. In that time, the expectation is that hosts will be renamed, certificates replaced, and acceptance testing performed. What's missing from that, which Wayne's questions got to, is "Are you saying there is no way to replace certificates from 10-15 to 02-01" - that is, replace the certificates, not rename the hosts.

Given that we know what the bound on that timeline is - that no work starts until 02-15 as planned - it's unclear why or how it's far longer and far more difficult to replace the certificates in that interim. It's also unclear where the acceptance testing comes in - presumably, these would be issued from the same hierarchy, and thus present no issues.

Now, I can try and guess reasons that aren't being stated. For example, it may be implied that "It will take longer than two weeks to replace the remaining certificates. Further, once those certificates have been replaced, they would need to be replaced again within 30 days of their issuance, thus likely in the early part of February. As a result, work to rename hosts will not be able to begin until replacing the certificates the second time has completed. Further, given the timeline, certificates will need to be replaced a third time in parallel during that migration, sometime in early-mid March, thus causing further risk to the timeline to rename".

Of course, that's not stated, and it's all based on trying to understand what the challenges are with replacing the certificates, which still has not really been responded to in substance since the discussion begin.


> Re: Ryan's questions
> We've identified all of the certificates but have logged all certificates
> that will be part of the incident report. The original bug shows all of the
> certificates where there will be an incident on Jan 15. We aren't planning
> on logging the rest because they will be revoked on Jan 15th.  The
> non-logged certificates are used only for server-to-server transactions and
> don't require trust in Google or Mozilla. 

I would encourage DigiCert to revisit this decision as quickly as possible. One of the key aspects of transparency is understanding the (incident) versus (total) certificates. Knowing this prior to SC12 may have helped DigiCert avoid an incident entirely - for example, if the problem was 2X worse than it was, or 4X, or however much, discussions about the feasability of migration and shorter-lived certificates could have gone differently. Post-SC12, knowing about whether DigiCert is planning to treat 98% of their certificates as part of an incident vs 2% of their certificates seems very valuable in measuring the impact.
>> My hypothetical is that of a
>> critical vulnerability in one of Organization One's systems being
>> discovered on 16-Oct. Does Organization One hold off on patching until Feb?
>> If not, what makes these certificates different?

Security vulnerabilities are patched based on their rating, the practical mitigation efforts that don't require a change to key systems, the system, and number. Whether the vulnerability waits until Feb or not depends specifically on the vulnerability. The difference between the two is there is no CVSS to point to, there's no way to identify what options there are other than replace the cert, and there's no process for exceptions where the CAB Forum decides something. 

>> For example, from the timeline, we know that migration starts 02-15 and is expected to complete by 04-01 - meaning 6 weeks
>> to both replace certificates and rename hosts. In that time, the expectation is that hosts will be renamed, certificates 
>> replaced, and acceptance testing performed. What's missing from that, which Wayne's questions got to, is "Are you saying 
>> there is no way to replace certificates from 10-15 to 02-01" - that is, replace the certificates, not rename the hosts.

I'll get back to you on this one. I'm not intending to have short answers only. This incident report is different than any other ones I've filed because the root cause is not directly with DigiCert. If we mis-issue a certificates, finding the issue, reporting what happened, and remediating the issue isn't difficult. Having third parties involved is increasing the complexity in reporting the information.
(In reply to Jeremy Rowley from comment #10)
> >> For example, from the timeline, we know that migration starts 02-15 and is expected to complete by 04-01 - meaning 6 weeks
> >> to both replace certificates and rename hosts. In that time, the expectation is that hosts will be renamed, certificates 
> >> replaced, and acceptance testing performed. What's missing from that, which Wayne's questions got to, is "Are you saying 
> >> there is no way to replace certificates from 10-15 to 02-01" - that is, replace the certificates, not rename the hosts.
> 
> I'll get back to you on this one. I'm not intending to have short answers
> only. This incident report is different than any other ones I've filed
> because the root cause is not directly with DigiCert. If we mis-issue a
> certificates, finding the issue, reporting what happened, and remediating
> the issue isn't difficult. Having third parties involved is increasing the
> complexity in reporting the information.

Is there an update here?
Flags: needinfo?(jeremy.rowley)
Summary: DigiCert: Underscore character - Pharmacy company → DigiCert: Underscores - CVS Pharmacy

Based on the conversation on the forum, the post from Wayne, and instruction from Google, our understanding is there is no exception or extension possible and the expectation is that all CAs will revoke the certificates on the date required by the BRs. We hope that the same rules/penalties/expectations will be applied to those CAs who fail to revoke on the required date. Thank you for the discussion. Although we were hoping for more compassionate results, we do appreciate the feedback and clarification on expectations.

Flags: needinfo?(jeremy.rowley)

Seems there was a mis-communication on the intent of the discussions. We will post an update answering Ryan's questions tomorrow. Please ignore my previous post. Apologies for the confusion.

In reply to Ryan's prompt on comment #11, here's the response back to the following:

For example, from the timeline, we know that migration starts 02-15 and is expected to complete by 04-01 - meaning 6 weeks
to both replace certificates and rename hosts. In that time, the expectation is that hosts will be renamed, certificates
replaced, and acceptance testing performed. What's missing from that, which Wayne's questions got to, is "Are you saying
there is no way to replace certificates from 10-15 to 02-01" - that is, replace the certificates, not rename the hosts.

Customer response:
"It’s just as much work AND risk to both change the name of and replace a cert as it is to just replace the cert, because in both cases we’re “touching” the application that relies on the cert – which means application testing in non-production before the cert replacement, and in production after the cert replacement. Any touch to core PBM application now, in the heart of welcome season, constitutes significant, inadvisable, risk."

The customer is mitigating the risk of loss of customer service and benefits disruption during the busiest time of the annual enrollment period.

Flags: needinfo?(brenda.bernal)

That risk assessment is surprising and somewhat against what would result from common industry practice. It is hoped that any remediation plan, if an incident occurs, will detail how such a situation will be mitigated in the future.

For example, past incidents have revealed a number of possible options:

  1. Migration to a private (non-BR audited) PKI
  2. The use and adoption of certificate automation, such that acceptance testing is not tied to individual certificates (a similar concern with pinning)
  3. The use of TLS intermediary devices (reverse proxies) that support more rapid upgrade and deployment, as explored through the SHA-1 and Symantec deprecations

While the BRs have long had an industry-standard, CA-agnostic revocation requirement, ultimately, the CA is responsible for making the decision to revoke or not revoke. It is hoped that a CA that makes a decision not to revoke will take concrete steps to prevent a reoccurrence in the future and identify concrete steps that they will take to ensure that.

Jeremy: Can you confirm whether an incident occurred and ensure that all of the details of affected certs are accurate?

Flags: needinfo?(jeremy.rowley)

Hi Ryan, I will be responding to provide updates on the underscore incidents. I can confirm that an incident has occurred and the details provided are accurate to the best of our knowledge. Our planned extension to revoke the remaining certificates (listed above) is 31-May-2019. We will provide periodic updates as progress is made.

Brenda: I believe that date is different than the past discussions, and so want to understand how this target moved.

Comment #0 stated:

They plan on replacing all certificates by April 30th

Comment #4 stated:

target completion of the certificate swaps by the end of March

Comment #6 stated:

2019-04-01: No new underscore certificates are needed or will be issued

So now I'm trying to understand Comment #17:

Our planned extension to revoke the remaining certificates (listed above) is 31-May-2019

Flags: needinfo?(jeremy.rowley) → needinfo?(brenda.bernal)

Hi Ryan, I will say the 31-May-2019 is an error on my part. I meant to align it to the March 31st date. With that said, I'd like to report that the customer has made significant progress and Digicert plans to revoke their remaining underscores by Friday, February 8, 2019.

Flags: needinfo?(brenda.bernal)
Assignee: jeremy.rowley → brenda.bernal
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
QA Contact: kwilson → wthayer
Whiteboard: [ca-compliance] → [ca-compliance] Next Update - 8-February 2019

The remaining underscore certificates listed above in Jeremy's initial report were all revoked as of today, February 8, 2019.

Thanks for the update, Brenda. I'm glad to hear this was resolved more timely than the originally proposed March 31.

I spot-checked a dozen, and they all show revoked, so I'm going to close this issue as Resolved, tagging Wayne in case he has any questions.

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
Flags: needinfo?(wthayer)
You need to log in before you can comment on or make changes to this bug.