Closed Bug 1517617 Opened 11 months ago Closed 7 months ago

DigiCert: Underscores - Citi

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jeremy.rowley, Assigned: brenda.bernal, NeedInfo)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0

Steps to reproduce:

1.	How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

1.	September 5, 2018 - the issue is raised by the browsers on the CA/Browser Forum. 
2.	October 10, 2018 – The CAB Forum discussions on the validation working group indicated that the browsers believed this was mis-issuance
3.	October 16, 201 – Tim reports back on the status of the Shanghai meeting. This is when we first know of the proposal
4.	October 19, 2018 – Ballot was proposed by Wayne to the validation working group. This is the first we aware that the certs may require revocation. Note the revocation date was still being debated. 
5.	October 26, 2018 – Final ballot was proposed. 
6.	November 2, 2018 – Voting period starts
7.	November 9, 2018 – Voting period ends. This is when we first know there is a requirement in the CAB Forum to revoke the certs.
8.	January 15, 2018 – First time we will be in non-compliance (assuming we don’t revoke all the certs of course)
9.	April 30, 2018 – Proposal on when all certs will be revoked.

2.	A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done. 

1.	September 5, 2018 - the issue is raised by the browsers on the CA/Browser Forum. 
2.	October 1, 2018 – We cease issuance of underscore characters in case the discussion goes south (obviously it does) 
3.	October 2, 2018 – We notify customers that the browsers are raising an issue with underscores. Bad data leads to only some customers being notified. 
4.	October 10, 2018 – The CAB Forum discussions on the validation working group indicated that the browsers believed this was mis-issuance
5.	October 10, 2018 – Internal advisory sent that this is picking up speed and external comms provided in KB article
6.	October 11, 2018 – Discussion with customers about potential impact. Turns out they are required for certain IBM systems.
7.	October 16, 201 – Tim reports back on the status of the Shanghai meeting. This is when we first know of the proposal
8.	October 17, 2018 – Internal discussion about whether we allow underscore character renewals and whether the ballot is likely to pass. We decide it is but are hoping existing certs will be allowed to expire.
9.	October 19, 2018 – Ballot was proposed by Wayne to the validation working group. This is the first we aware that the certs may require revocation. Note the revocation date was still being debated. 
10.	October 19, 2018 – Internal discussion to start comms about CAB Forum plan.
11.	October 20, 2018 – Second emergency meeting to start comms process.
12.	October 24, 2018 – Gather of data on all impacted certs across the different systems
13.	October 26, 2018 – Final ballot was proposed. 
14.	November 1, 2018 – We notice the data is wrong and regather the information.  
15.	November 2, 2018 – Voting period starts
16.	November 9, 2018 – Voting period ends. This is when we first know there is a requirement in the CAB Forum to revoke the certs.
20.	November 29, 2018 – Posting to Mozilla about concerns with ballot
21.	November 28, 2018 – Final comms is dropped about the ballot and its impact. 
22.	November 30, 2018 – Final internal advisory on issue.
23.	December 4, 2018 – Notice of underscores sent to customer
24.	December 19, 2018 – Post of future incident report to start discussion on what will happen if we don’t revoke the certs.  The goal is to provide better information on the scope of impact.
25. Jan 6, 2019 - Freeze over
26.	January 15, 2019 – First time we will be in non-compliance (assuming we don’t revoke all the certs of course)
27.	April 30, 2018 – Proposal on when all certs will be revoked.
 
3.	Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We stopped issuing certs with underscore characters on Oct 1. We re-enabled 30 day certificates per the ballot for any customers that can use that option. We found that exactly no customers can use that option. We will shut down the 30 day certs per the ballot requirements. 

However, 30 day certificates will not work in this case because it will lead to double work . The certificates are deployed to customer installations, which require downtime and change windows. New FQDNs need to be rolled out and impact additional applications so better to do it at once. 
 
4.	A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. 

There are 105 MQ certificates and 33 prod certificates. Changing the certificate requires a change in their tooling, which occurs at a channel level. These certificates connect most of LATAM, Mexico, Singapore, etc, which means extensive testing before changing the name. The massive coordination required for international banking requires extensive communication and sign-offs from both internal and external third parties. A single change to update the name and certificates is easier to do that two separate changes. 

5.	The complete certificate data for the problematic certificates. 
Listed below. 

6.	Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The delay in revocation is because of the change control policies required when impacting international banking. The queue managers connect to external parties, meaning the technical side at the company is doable, but the third parties involved create a longer replacement timeline for the remaining certificates.

7.	 List of steps CA is taking to resolve the situation and ensure it will not be repeated. 
Communicate better and ensure all customers are aware that the CPS and other documents all specify that 24 hour revocation is possible.




Actual results:

Certs:
ibmwebspheremqaltolat_qm_uat.citi.com	07d33603adffa3ce88960bb51f2bbfe6
ibmwebspheremqgts_qm1.qc2.citi.com	27319d728fee2e68905c0f0bf08dcf07
ibmwebspheremqgts_gateway_qm.qc2.citi.com	181938b4e72af2ef6dc7e4c2b121e93d
ibmwebspheremqgts_qm1.uat3.citi.com	6156cae27271b4763fd8078041ca0d70
ibmwebspheremqgts_gateway_qm.uat3.citi.com	42f0b09950aff8736882984b3db7be8c
ibmwebspheremqalto_qm.uat.citi.com	77d8c364fcba5d7d7f41986d4b4a89df
ibmwebspheremqalto_qm.citi.com	658ec57b3aeeaa5d2c1a2ebf26f33653
GTAEMEFD_QM01.SIT_qmv75.nam.nsroot.net	0a4057551bccb25344e86188468f16ca
ibmwebspheremqairs_prpc_qm.qa.citi.com	24d849144f97d5ca082b85a4262ab1
ibmwebspheremqairs_prpc_qm.uat.citi.com	745bf4527aedb7c67e749e82d0062560
ibmwebspheremqgtaemf4_qm.dit.citi.com	7f023aa936aebf560ccc43e44ee0a361
ibmwebspheremqgtaemf4_qm.sit.citi.com	679856506c5c4dfc0031b5065b2f403d
ibmwebspheremqaltolat_qm.uat.citi.com.citi.com	243d722b1e6073294d58a78c2ea2a358
ibmwebspheremqaltolat_qm.uat.citi.com	39fc6d8defa6220e2926a982d29b2367
mrntbc14_qmv75.nam.nsroot.net	03c9706a76e114e0cd313cb3bc769eb9
GTUATEFD01_qmv_75.nam.nsroot.net	27504c32bcdd4e4e9d7b5170b394efca
GTUATEFD02_qmv_75.nam.nsroot.net	7116b378e7c10bd1c40e033d247558f7
MRNTBC15_qmv75.nam.nsroot.net	03a107ab621386b475a1754cf8a3fc80
MRNTBC13_qmv70.nam.nsroot.net	7fe80fae3852293295edd46569fc7752
digitalopsuat_hrss.nam.nsroot.net	28fc46ab28eef9476832e81f52406752
s3dev_hrss.nam.nsroot.net	0e47d9ddf0260799e0d958f5d1ef5354
s3dev_hrss.nam.nsroot.net	72d22d3cbac26bc6ec62918ae7eaf590
digitalopsdev_hrss.nam.nsroot.net	35fe775689e728ab32a0fc94cd190762
ibmwebspheremqaltophub_qm.sit.citi.com	7811a19f28d492bf765b1d5be52407bc
ibmwebspheremqaltophub_qm.uat.citi.com	6185b05d905f698db5a27fffd0dd7de0
ibmwebspheremqaltolat_qm_sit.citi.com	03aa05b8251e8b636b9d21ae89aa96f2
RNDEVBC01_qmv75.nam.nsroot.net	495bfb1b9aca2fae32aa3360f0e96ba7
ibmwebspheremqsgsmiap_qm.uat.citi.com	1ed2deea78e0cb7b670a4dd13def1848
ibmwebspheremqgts_gateway_qm.qc3.citi.com	35e52b3b19719874470be973b9436c81
ibmwebspheremqgts_qm1.qc3.citi.com	5de4a877839489c327e0394baf688646
ibmwebspheremqgts_qm2.qc3.citi.com	72e3c162f939553dbaea32da1ed171c8
ibmwebspheremqnacitift_qa1.citi.com	545bf4e8fbea434225a867a9718cb8e2
GTTSTBC01_qmv75.nam.nsroot.net	023bff13cc02902adecce0cd9b144b9c
GTTSTDIG01_qmv75.nam.nsroot.net	136e699ffeb857233ab46ad02d1fc669
ibmwebspheremqgts_gateway_qm2.cte.citi.com	501620764596f68637b131eb6de391a7
ibmwebspheremqgts_qm2.cte.citi.com	4c0a876b6c1fa9ccc360bea156b34c26
GTAEMEFD_QM02.SIT_qmv75.nam.nsroot.net	71ee9b56b049f1e51ac742475c878fe0
ibmwebspheremqgts_gateway_qm1.qc3.citi.com	70ec2937d2abbe244787d899b7641f1b
ibmwebspheremqsspiwh_qm.qc.citi.com	4710c7204f19edd8685e916d91b33122
ibmwebspheremqairs_prpc_qm.citi.com	4ba9aeb11af344412eb4f2dd6185374e
s3uat_hrss.nam.nsroot.net	571da8288bd4ff004cbc027c75d254b6
digitalopsuat_hrss.nam.nsroot.net	3cae9778b29849939e9e3bb05b4682cc
GTAEMEFD_QM.DIT_qmv75.nam.nsroot.net	121983f622acb7e712f6518661a80fc6
ibmwebspheremqairs_prpc_qm.prf.citi.com	049a6bb7aebdae5866a5ab2962e5991b
ibmwebspheremqaltophub_qm_sit.citi.com	76ce708af333edd5f576fd533fd49ad7
ibmwebspheremqaltophub_qm_uat.citi.com	440948904511ef0eaaafa116bcc1c66a
ibmwebspheremqnacitift_qm.citi.com	04a6105a0837a2dfc4c85780b5d2ce05
ibmwebspheremqaltophub_qm_pte.citi.com	585f6455a77df0affe85bc7884967711
ibmwebspheremqsgsmiap_qm.citi.com	57ba5e495408cbdc001798b4eeb1b1af
GTDEVBC01_qmv75.nam.nsroot.net	7c49bbb9040fb9de681679f9290ebcf9
GTDEVDIG01_qmv75.nam.nsroot.net	3dcac4045e93e60d89c1894bd1e7b22f
ibmwebspheremqfpsnam_prod.citi.com	0d1075a89ee84c663225b75f60c91f6b
ibmwebspheremqfpsnam_pte.citi.com	49603ce0f150bbaaeb566baf1dcff412
ibmwebspheremqflaecomm_qm.dv.citi.com	5f244c0ff6640e0005a68cac3a937e4c
ibmwebspheremqflaecomm_qm.uat.citi.com	2dbcfc012f039d1419033e88fee218
ibmwebspheremqfpsnam_prod.citi.com	1d0d0d2e1c399bd5200e5a28a595a61f
MDLKBCG1_qmv75.nam.nsroot.net	3e07617c681e72f089d0553f644c2a38
MDLKBCG2_qmv75.nam.nsroot.net	27b66bd1ec0b8f417af1eb01fc0b32aa
MDLBBC02_qmv75.nam.nsroot.net	718264467a077123a73efe9bcb5e7897
MDLDBC02_qmv75.nam.nsroot.net	30ab985485689a9c9033ba8941675fc5
MDLDBC01_qmv75.nam.nsroot.net	717e1691b8a436d0d8bf424cd414d6d7
MDLBBC01_qmv75.nam.nsroot.net	0e3cbe7c51dbaea504bb17c8a9bcc9f8
ibmwebspheremqaltophub_qm.citi.com	1bcc8d492cf5585fffaecb843723366c
ctb_chinauat.goldpac.apac.nsroot.net	667606eacb8d2986553523fc82e25412
ctb_china.goldpac.apac.nsroot.net	3ecbba07cc168bb2bb24cc458fc54677
GTAEMF4_QM.DIT_qmv75.nam.nsroot.net	5c80b9300c7d80ec17f4b886a255b3e8
GTAEMF4_QM.SIT_qmv75.nam.nsroot.net	5bb0dda22fa3d1fad934e7e6d2a8f618
GTUATFUS09_qmv75.nam.nsroot.net	12d6ebd1842f3492b11879a8067ae1e1
GTUATFUS10_qmv75.nam.nsroot.net	5393895062283db17808298b006d7bf9
GTDITORG01_qmv75.nam.nsroot.net	073eb8bb276c076d5ab2873cd868b060
GTSITORG01_qmv75.nam.nsroot.net	4a87d21901bbaf74e423c3fe39ee9af1
GTUATORG01_qmv75.nam.nsroot.net	49cb1497eab51fd0db659b70d602fbbe
RNTSTBC01_qmv75.nam.nsroot.net	1c504fb75ae0ace1a3ab056daf4d15f9
GTUATORG02_qmv75.nam.nsroot.net	45fec8e330ca898b2c70ef04a70997b0
GTUATORG03_qmv75.nam.nsroot.net	1ab54f3dafddb286c3240705bdf52364
GTUATORG04_qmv75.nam.nsroot.net	4a0f792a3f988458f7ffa7f48a302966
SWDEVBBY01_qmv75.nam.nsroot.net	48c089a7fbb064ea3ee3c8c9f57f519f
SWUATBBY01_qmv75.nam.nsroot.net	2c5c527ebbbd99f8e33c9bd3088b795b
SWDEVBBY01_qm_75.nam.nsroot.net	0a9bb0cf825c73161c8e790e7a9ddea6
MDLCBC01_qmv75.nam.nsroot.net	0445a6e880b7d965d7bd3b70450df4e3
MDLCBC02_qmv75.nam.nsroot.net	016d718dc8ccdbb149cda4946a2815f6
FRCITIFT_QA1_qm_80.nam.nsroot.net	0599ca01ebd7fbd042def661f94f261f
GTMSTEF01_qm_75.nam.nsroot.net	0e9c71bec237e25274a991e3e3e7eb3b
GTUATEF01_qm_75.nam.nsroot.net	0d4cb80b569f8c6edb7082957fbd15f8
FRCITIFT_QA1_qm_80.nam.nsroot.net	0440d23983adacb618245e9696c3e971
ibmwebspheremqflaecomm_qm.citi.com	06f9c0c9d20736a1d2b785d2c2258263
ibmwebspheremqfxclick_qm.uat.citi.com	04f7b271d5963bc7f835aa7bbf98d53d
ibmwebspheremqsspiwh_qm.dv.citi.com	09ebb8e8cac3f5a6d741a7f1d70d9ed7
FRCITIFT_QA1_qm_80.nam.nsroot.net	01db42ef9ffb64f80f050a3b78bf53cc
ibmwebspheremqflaecomm_qm.dv.citi.com	04f23e098b25c65fecea26f670715c66
ibmwebspheremqflaecomm_qm.uat.citi.com	0fc89b61c081d3250e29834dae2091f0
hcasbat_pkr.apac.nsroot.net	02fd6dfd1da86d3ccb1cb47b6ad0b2ed
GTISTEF01_qm_75.nam.nsroot.net	06edc3b18756f1ad4e67e9828dce17f5
ibmwebspheremqsec_lending_qm.uat.citi.com	03b92e4902c1fa589ea2f9a52f5ce7d9
ibmwebspheremqglobal_fx_qm.uat.citi.com	04f44b9da40728aca4e7f70ca5b59a44
TS2MDLKBCG1_qm_75.nam.nsroot.net	0403cb81bf9e3e171572374afc27bb5a
TS2MDLKBCG2_qm_75.nam.nsroot.net	06d73ea2f953d40bce63ac44fd02ce57
GTAEMEFD_QM01.SIT_qm_80.nam.nsroot.net	0d481f776599fb97c9ae291d41ca6146
GTAEMEFD_QM02.SIT_qm_80.nam.nsroot.net	0b10421f3a355afe18beed52506aa397
ibmwebspheremqopxp1_qm.uat.citi.com	0caeaf41a737f6393a497bdd4de08b3a
ibmwebspheremqopxp1_qm.citi.com	01b46df5c83fbff71b283479c607fa2f
GTUATEFD01_qm_80.nam.nsroot.net	08ba76e6a99345b8976b7294c40de917
citibank_uat.banctecportal.eur.nsroot.net	097ac7c528d6ab64ad9e6a13f5dd78a6
GTUATEFD02_qm_80.nam.nsroot.net	07c481ba81706471285b2ed650b798fe
Digicert_CSI_49095_CITIFTP01.citigroup.com	0439c9d87aad1e65fae2776e852b33c3
ibmwebspheremqairs_prpc_qm.dv.citi.com	01050853b6600d85dedcc3dcbcf6f797
ibmwebspheremqicg_gateway_qm1.uat1.citi.com	01a504c9ed7efd39ac258ccb701d5c76
ibmwebspheremqicg_gateway_qm1.qc1.citi.com	09ad340e06534c03eb94941e2e3c49d3
ibmwebspheremqicg_qm1.uat1.citi.com	0bf9634d5ade5166d782b0200e550646
ibmwebspheremqicg_qm1.qc1.citi.com	06021a0a535c1be4d534a8e388e409c6
ibmwebspheremqicg_qm1.pte1.citi.com	0ed88ea5519302dc4f74ea285570f37e
ibmwebspheremqicg_qm2.pte1.citi.com	09395bdf2be72ff75ecdb2fb90a8c110
ibmwebspheremqicg_gateway_qm1.pte1.citi.com	055af2c907a350f5aa284b5e1775757a
ibmwebspheremqicg_gateway_qm2.pte1.citi.com	027f46bc3026df2c6e269d1f76ac3e1c
ibmwebspheremqicg_gateway_qm1.cte1.citi.com	0ffd67140baa6ca1710fc228a13250c1
ibmwebspheremqicg_qm1.cte1.citi.com	06ca8d983c00f95c18e50b4428050948
ibmwebspheremqfxclick_qm.citi.com	0e05059c3ea54dfff6376848f7277d5e
ibmwebspheremqna_citift.uat.citi.com	01e8a6223fcfc6bde40aa03b10f16635
ibmwebspheremqicg_qm1.citi.com	085051041a2d03772d161506da4e4807
ibmwebspheremqicg_qm2.citi.com	0f3bebafefc7f0954db6e681317eda23
ibmwebspheremqicg_gateway_qm1.citi.com	0f64123e812e8892382151d9023419de
ibmwebspheremqicg_gateway_qm2.citi.com	07b17885721dbe51973c235c45827742
ibmwebspheremqnacitift_qa1.citi.com	0b85bd658a7b8cdc9de2b05130ad2046
ibmwebspheremqpfmuat_qm.citi.com	0ca92b28c430004e506776305bfbac18
ibmwebspheremqpfmprod_qm.citi.com	065f996302a36ed14ff9fd73a318348f
ibmwebspheremqicg_qm2_cash.pte1.citi.com	09d0c4167ab197e5aef5903e38fc2012
ibmwebspheremqicg_gateway_qm2_cash.pte1.citi.com	09589630ecc78fa63aed39df388c5715
ibmwebspheremqicg_qm1_cash.pte1.citi.com	08a96e644569eef9cd077075b6c5a52c
ibmwebspheremqicg_gateway_qm1_cash.pte1.citi.com	0996cd28d287b1935525efa45c9752ee
ibmwebspheremqicg_gateway_qm2_cash.pte1.citi.com	0bdb7905b7633108253869656a399658
ibmwebspheremqicg_qm2_cash.pte1.citi.com	03ba62667ba91aec3177832fcfc1e481
ibmwebspheremqicg_gateway_qm2_cash.pte1.citi.com	0bca2e109e06dee5c01efcf33e5cadc4
ibmwebspheremqicg_qm1_gce.pte1.citi.com	039502d67843adf06572786ec27e7680
ibmwebspheremqicg_qm1_imass.pte1.citi.com	0bdee607a046c78f603ce9ecd49a6bfe
ibmwebspheremqicg_qm2_imass.pte1.citi.com	0ef5bd3f1294a84bf3ddfca22c0d8463
ibmwebspheremqicg_gateway_qm2_gce.pte1.citi.com	07c9ebb98f2f6a116b56235e0a9ec2dd
ibmwebspheremqicg_gateway_qm2_imass.pte1.citi.com	051b5f8318ac8ca030d45df1d13b3b3a
ibmwebspheremqicg_qm2_gce.pte1.citi.com	066f31cdc3abc5823787e4e9fbd07236
ibmwebspheremqicg_gateway_qm1_gce.pte1.citi.com	0a858e42ead16b45f4542846f0cedd1a
ibmwebspheremqicg_gateway_qm1_imass.pte1.citi.com	08a09859006d366fbff424186285df13
ibmwebspheremqsecfin_qm.sit.citi.com	018bdb185d72b593f3a3ee864a2e209a
ibmwebspheremqsecfin_qm.uat.citi.com	090684c66fa6c9cef185d70a51c1e6a4
ibmwebspheremqsecfin_qm.dev.citi.com	0ce35836ff6561a5e01cee1f42a8a6ed
ibmwebspheremqsecfin_qm.citi.com	098f0557de55630ee570ae20a18d471f
ibmwebspheremqsspiwh_qm.pte.citi.com	0476e2e475024da9b69bd97e70f9f9ac
ibmwebspheremqicg_qm1_cash.citi.com	04cf97e1c2a4f64a4c0977e9de7a3942
ibmwebspheremqicg_qm1_gce.citi.com	0a051fca4ce7ff4ab5669f48f3610d30
ibmwebspheremqicg_qm1_imass.citi.com	0ea2a109fe2e01fbcde24dc633c5c1a2
ibmwebspheremqicg_qm2_cash.citi.com	0c21f2b8bcc892ac13d69917167c4b97
ibmwebspheremqicg_qm2_gce.citi.com	063d6d48a6bfe7caae23d1ced5c34165
ibmwebspheremqicg_gateway_qm1_cash.citi.com	068d12e6779fdae1884f906d905b4ead
ibmwebspheremqicg_qm2_imass.citi.com	0cada13aee9043d91956bfe03af32056
ibmwebspheremqicg_gateway_qm1_gce.citi.com	03d52c563bafc60f65f66c0436c4fb4c
ibmwebspheremqicg_gateway_qm1_imass.citi.com	095b2e8d5f635436da33c9e07f41f54a
ibmwebspheremqicg_gateway_qm2_cash.citi.com	0687ba230aea13848019452c0d0550b8
ibmwebspheremqicg_gateway_qm2_imass.citi.com	04e904fe23ed4951abe269b22bef22ea
ibmwebspheremqicg_gateway_qm2_gce.citi.com	0ac723ea50045020c215126a502d77e2
ibmwebspheremqglobal_fx_qm.citi.com	0cea3273c91a511e9c372fc9be68022f
ibmwebspheremqsec_lending_qm.citi.com	0b48a2d07b5ec913a4131efebf7b1409
ibmwebspheremqsec_lending_qm.dv.citi.com	071b6cc499e2fc74ace72fe29f197ac5
ibmwebspheremqoasys_qm.citi.com	0f471e510cacd439cf3bb2f11da0e314
ibmwebspheremqoasys_qm.uat.citi.com	096b0908ba19136f345e4648864c1977
ibmwebspheremqicg_gateway_qm1_gce.pte1.citi.com	0bc136c67616c0f02eb72cba26b472c4
ibmwebspheremqicg_gateway_qm2_gce.pte1.citi.com	0da0f24b883f9a2b8b90418217ae5f96
ibmwebspheremqsspiwh_qm.uat.citi.com	01d30072f46a91994609fcb2bd979333
ibmwebspheremqnacitift_qm.citi.com	0921f04a0d7fa518f12bf45f098b5a09
ibmwebspheremqequity.zeus_qm5.citi.com	05c9ecd38fb0609d6f29ff87738e4b7a
Thanks Jeremy.
Assignee: wthayer → jeremy.rowley
Summary: DigiCert - Underscore - Company 5 → DigiCert: Underscores - Company 5
Whiteboard: [ca-compliance]
> Changing the certificate requires a change in their tooling, which occurs at a channel level.

This seems particularly concerning. What steps are being taken to mitigate this risk and thus ensure that, if this customer were to obtain a misissued certificate, the same logic would not also be applied?

> 27.	April 30, 2018 – Proposal on when all certs will be revoked.

Could you explain how this date was selected and what factors were considered?
Flags: needinfo?(jeremy.rowley)
Summary: DigiCert: Underscores - Company 5 → DigiCert: Underscores - Citi

Based on the conversation on the forum, the post from Wayne, and instruction from Google, our understanding is there is no exception or extension possible and the expectation is that all CAs will revoke the certificates on the date required by the BRs. We hope that the same rules/penalties/expectations will be applied to those CAs who fail to revoke on the required date. Thank you for the discussion. Although we were hoping for more compassionate results, we do appreciate the feedback and clarification on expectations.

Flags: needinfo?(jeremy.rowley)

Seems there was a mis-communication on the intent of the discussions. We will post an update answering Ryan's questions tomorrow. Please ignore my previous post.

Here are the crt.sh links for the certs that are in scope:

https://crt.sh/?id=83932247
https://crt.sh/?id=117283821
https://crt.sh/?id=117283827
https://crt.sh/?id=139659819
https://crt.sh/?id=139659829
https://crt.sh/?id=143815776
https://crt.sh/?id=143815954
https://crt.sh/?id=147794397
https://crt.sh/?id=155503804
https://crt.sh/?id=155503809
https://crt.sh/?id=170116965
https://crt.sh/?id=170116936
https://crt.sh/?id=172104624
https://crt.sh/?id=172116016
https://crt.sh/?id=174675897
https://crt.sh/?id=174675959
https://crt.sh/?id=174675965
https://crt.sh/?id=174676406
https://crt.sh/?id=179381539
https://crt.sh/?id=179404504
https://crt.sh/?id=179403965
https://crt.sh/?id=182354562
https://crt.sh/?id=182354571
https://crt.sh/?id=183257873
https://crt.sh/?id=183279656
https://crt.sh/?id=183279773
https://crt.sh/?id=183864082
https://crt.sh/?id=187946125
https://crt.sh/?id=187892411
https://crt.sh/?id=187895028
https://crt.sh/?id=187895051
https://crt.sh/?id=192537418
https://crt.sh/?id=197645564
https://crt.sh/?id=197725034
https://crt.sh/?id=201466010
https://crt.sh/?id=201466088
https://crt.sh/?id=201678765
https://crt.sh/?id=204817339
https://crt.sh/?id=205149613
https://crt.sh/?id=205150558
https://crt.sh/?id=205902386
https://crt.sh/?id=205902432
https://crt.sh/?id=205903583
https://crt.sh/?id=209475754
https://crt.sh/?id=209475784
https://crt.sh/?id=209475794
https://crt.sh/?id=218293460
https://crt.sh/?id=218293446
https://crt.sh/?id=218844322
https://crt.sh/?id=220206186
https://crt.sh/?id=220206194
https://crt.sh/?id=222987443
https://crt.sh/?id=222987523
https://crt.sh/?id=223078899
https://crt.sh/?id=227363078
https://crt.sh/?id=227363155
https://crt.sh/?id=230498926
https://crt.sh/?id=230499686
https://crt.sh/?id=233674470
https://crt.sh/?id=234451437
https://crt.sh/?id=236094450
https://crt.sh/?id=239311610
https://crt.sh/?id=239312089
https://crt.sh/?id=241225832
https://crt.sh/?id=244543157
https://crt.sh/?id=246582057
https://crt.sh/?id=246582068
https://crt.sh/?id=246784171
https://crt.sh/?id=246790179
https://crt.sh/?id=248644508
https://crt.sh/?id=248644614
https://crt.sh/?id=248644676
https://crt.sh/?id=248842488
https://crt.sh/?id=248842515
https://crt.sh/?id=249547031
https://crt.sh/?id=249555128
https://crt.sh/?id=249555213
https://crt.sh/?id=249555267
https://crt.sh/?id=253566064
https://crt.sh/?id=261771708
https://crt.sh/?id=261771947
https://crt.sh/?id=272005018
https://crt.sh/?id=278966902
https://crt.sh/?id=279181722
https://crt.sh/?id=279296623
https://crt.sh/?id=289580707
https://crt.sh/?id=289580980
https://crt.sh/?id=289581029
https://crt.sh/?id=294175418
https://crt.sh/?id=294283722
https://crt.sh/?id=294291240
https://crt.sh/?id=299756595
https://crt.sh/?id=305831237
https://crt.sh/?id=308298583
https://crt.sh/?id=308298845
https://crt.sh/?id=318728442
https://crt.sh/?id=318730660
https://crt.sh/?id=325794670
https://crt.sh/?id=325794779
https://crt.sh/?id=326423455
https://crt.sh/?id=326423425
https://crt.sh/?id=331844231
https://crt.sh/?id=331883172
https://crt.sh/?id=331910155
https://crt.sh/?id=332814770
https://crt.sh/?id=341618855
https://crt.sh/?id=344028168
https://crt.sh/?id=344028422
https://crt.sh/?id=344028296
https://crt.sh/?id=344028513
https://crt.sh/?id=349394064
https://crt.sh/?id=349394096
https://crt.sh/?id=349394132
https://crt.sh/?id=349394160
https://crt.sh/?id=363668943
https://crt.sh/?id=363669838
https://crt.sh/?id=378195173
https://crt.sh/?id=385782175
https://crt.sh/?id=393079075
https://crt.sh/?id=393079278
https://crt.sh/?id=393079487
https://crt.sh/?id=393079965
https://crt.sh/?id=478792199
https://crt.sh/?id=494644292
https://crt.sh/?id=494604250
https://crt.sh/?id=495459976
https://crt.sh/?id=495479071
https://crt.sh/?id=495459810
https://crt.sh/?id=495173025
https://crt.sh/?id=499127361
https://crt.sh/?id=499127038
https://crt.sh/?id=499335971
https://crt.sh/?id=505376905
https://crt.sh/?id=505377083
https://crt.sh/?id=505377867
https://crt.sh/?id=505378511
https://crt.sh/?id=505378734
https://crt.sh/?id=505377630
https://crt.sh/?id=505378215
https://crt.sh/?id=505378364
https://crt.sh/?id=505375814
https://crt.sh/?id=505376480
https://crt.sh/?id=505376035
https://crt.sh/?id=505376268
https://crt.sh/?id=505609828
https://crt.sh/?id=511633060
https://crt.sh/?id=511636317
https://crt.sh/?id=511636374
https://crt.sh/?id=511636410
https://crt.sh/?id=511620329
https://crt.sh/?id=511623495
https://crt.sh/?id=511622006
https://crt.sh/?id=511624192
https://crt.sh/?id=511624630
https://crt.sh/?id=511625002
https://crt.sh/?id=511625809
https://crt.sh/?id=511625312
https://crt.sh/?id=535469879
https://crt.sh/?id=535470691
https://crt.sh/?id=535470339
https://crt.sh/?id=535470913
https://crt.sh/?id=535471115
https://crt.sh/?id=560451870
https://crt.sh/?id=560454865
https://crt.sh/?id=589176452
https://crt.sh/?id=606411980
https://crt.sh/?id=792298246

Jeremy: Can you confirm whether an incident occurred and ensure that all of the details of affected certs are accurate?

Flags: needinfo?(jeremy.rowley)

Hi Ryan, I will be responding to provide updates on the underscore incidents. I can confirm that an incident has occurred and the details provided are accurate to the best of our knowledge. Our planned extension to revoke the remaining certificates (listed above) is 30-April-2019 (correction on the 2018 date). We will provide periodic updates as progress is made.

Assignee: jeremy.rowley → brenda.bernal
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Update: All remaining underscore certs for this customer has been revoked as of today (30-April-2019).

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.