1517617 - DigiCert: Underscores - Citi

Reporter

Description

•

6 years ago

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Steps to reproduce: 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. 1. September 5, 2018 - the issue is raised by the browsers on the CA/Browser Forum. 2. October 10, 2018 – The CAB Forum discussions on the validation working group indicated that the browsers believed this was mis-issuance 3. October 16, 201 – Tim reports back on the status of the Shanghai meeting. This is when we first know of the proposal 4. October 19, 2018 – Ballot was proposed by Wayne to the validation working group. This is the first we aware that the certs may require revocation. Note the revocation date was still being debated. 5. October 26, 2018 – Final ballot was proposed. 6. November 2, 2018 – Voting period starts 7. November 9, 2018 – Voting period ends. This is when we first know there is a requirement in the CAB Forum to revoke the certs. 8. January 15, 2018 – First time we will be in non-compliance (assuming we don’t revoke all the certs of course) 9. April 30, 2018 – Proposal on when all certs will be revoked. 2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done. 1. September 5, 2018 - the issue is raised by the browsers on the CA/Browser Forum. 2. October 1, 2018 – We cease issuance of underscore characters in case the discussion goes south (obviously it does) 3. October 2, 2018 – We notify customers that the browsers are raising an issue with underscores. Bad data leads to only some customers being notified. 4. October 10, 2018 – The CAB Forum discussions on the validation working group indicated that the browsers believed this was mis-issuance 5. October 10, 2018 – Internal advisory sent that this is picking up speed and external comms provided in KB article 6. October 11, 2018 – Discussion with customers about potential impact. Turns out they are required for certain IBM systems. 7. October 16, 201 – Tim reports back on the status of the Shanghai meeting. This is when we first know of the proposal 8. October 17, 2018 – Internal discussion about whether we allow underscore character renewals and whether the ballot is likely to pass. We decide it is but are hoping existing certs will be allowed to expire. 9. October 19, 2018 – Ballot was proposed by Wayne to the validation working group. This is the first we aware that the certs may require revocation. Note the revocation date was still being debated. 10. October 19, 2018 – Internal discussion to start comms about CAB Forum plan. 11. October 20, 2018 – Second emergency meeting to start comms process. 12. October 24, 2018 – Gather of data on all impacted certs across the different systems 13. October 26, 2018 – Final ballot was proposed. 14. November 1, 2018 – We notice the data is wrong and regather the information. 15. November 2, 2018 – Voting period starts 16. November 9, 2018 – Voting period ends. This is when we first know there is a requirement in the CAB Forum to revoke the certs. 20. November 29, 2018 – Posting to Mozilla about concerns with ballot 21. November 28, 2018 – Final comms is dropped about the ballot and its impact. 22. November 30, 2018 – Final internal advisory on issue. 23. December 4, 2018 – Notice of underscores sent to customer 24. December 19, 2018 – Post of future incident report to start discussion on what will happen if we don’t revoke the certs. The goal is to provide better information on the scope of impact. 25. Jan 6, 2019 - Freeze over 26. January 15, 2019 – First time we will be in non-compliance (assuming we don’t revoke all the certs of course) 27. April 30, 2018 – Proposal on when all certs will be revoked. 3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation. We stopped issuing certs with underscore characters on Oct 1. We re-enabled 30 day certificates per the ballot for any customers that can use that option. We found that exactly no customers can use that option. We will shut down the 30 day certs per the ballot requirements. However, 30 day certificates will not work in this case because it will lead to double work . The certificates are deployed to customer installations, which require downtime and change windows. New FQDNs need to be rolled out and impact additional applications so better to do it at once. 4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. There are 105 MQ certificates and 33 prod certificates. Changing the certificate requires a change in their tooling, which occurs at a channel level. These certificates connect most of LATAM, Mexico, Singapore, etc, which means extensive testing before changing the name. The massive coordination required for international banking requires extensive communication and sign-offs from both internal and external third parties. A single change to update the name and certificates is easier to do that two separate changes. 5. The complete certificate data for the problematic certificates. Listed below. 6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. The delay in revocation is because of the change control policies required when impacting international banking. The queue managers connect to external parties, meaning the technical side at the company is doable, but the third parties involved create a longer replacement timeline for the remaining certificates. 7. List of steps CA is taking to resolve the situation and ensure it will not be repeated. Communicate better and ensure all customers are aware that the CPS and other documents all specify that 24 hour revocation is possible. Actual results: Certs: ibmwebspheremqaltolat_qm_uat.citi.com 07d33603adffa3ce88960bb51f2bbfe6 ibmwebspheremqgts_qm1.qc2.citi.com 27319d728fee2e68905c0f0bf08dcf07 ibmwebspheremqgts_gateway_qm.qc2.citi.com 181938b4e72af2ef6dc7e4c2b121e93d ibmwebspheremqgts_qm1.uat3.citi.com 6156cae27271b4763fd8078041ca0d70 ibmwebspheremqgts_gateway_qm.uat3.citi.com 42f0b09950aff8736882984b3db7be8c ibmwebspheremqalto_qm.uat.citi.com 77d8c364fcba5d7d7f41986d4b4a89df ibmwebspheremqalto_qm.citi.com 658ec57b3aeeaa5d2c1a2ebf26f33653 GTAEMEFD_QM01.SIT_qmv75.nam.nsroot.net 0a4057551bccb25344e86188468f16ca ibmwebspheremqairs_prpc_qm.qa.citi.com 24d849144f97d5ca082b85a4262ab1 ibmwebspheremqairs_prpc_qm.uat.citi.com 745bf4527aedb7c67e749e82d0062560 ibmwebspheremqgtaemf4_qm.dit.citi.com 7f023aa936aebf560ccc43e44ee0a361 ibmwebspheremqgtaemf4_qm.sit.citi.com 679856506c5c4dfc0031b5065b2f403d ibmwebspheremqaltolat_qm.uat.citi.com.citi.com 243d722b1e6073294d58a78c2ea2a358 ibmwebspheremqaltolat_qm.uat.citi.com 39fc6d8defa6220e2926a982d29b2367 mrntbc14_qmv75.nam.nsroot.net 03c9706a76e114e0cd313cb3bc769eb9 GTUATEFD01_qmv_75.nam.nsroot.net 27504c32bcdd4e4e9d7b5170b394efca GTUATEFD02_qmv_75.nam.nsroot.net 7116b378e7c10bd1c40e033d247558f7 MRNTBC15_qmv75.nam.nsroot.net 03a107ab621386b475a1754cf8a3fc80 MRNTBC13_qmv70.nam.nsroot.net 7fe80fae3852293295edd46569fc7752 digitalopsuat_hrss.nam.nsroot.net 28fc46ab28eef9476832e81f52406752 s3dev_hrss.nam.nsroot.net 0e47d9ddf0260799e0d958f5d1ef5354 s3dev_hrss.nam.nsroot.net 72d22d3cbac26bc6ec62918ae7eaf590 digitalopsdev_hrss.nam.nsroot.net 35fe775689e728ab32a0fc94cd190762 ibmwebspheremqaltophub_qm.sit.citi.com 7811a19f28d492bf765b1d5be52407bc ibmwebspheremqaltophub_qm.uat.citi.com 6185b05d905f698db5a27fffd0dd7de0 ibmwebspheremqaltolat_qm_sit.citi.com 03aa05b8251e8b636b9d21ae89aa96f2 RNDEVBC01_qmv75.nam.nsroot.net 495bfb1b9aca2fae32aa3360f0e96ba7 ibmwebspheremqsgsmiap_qm.uat.citi.com 1ed2deea78e0cb7b670a4dd13def1848 ibmwebspheremqgts_gateway_qm.qc3.citi.com 35e52b3b19719874470be973b9436c81 ibmwebspheremqgts_qm1.qc3.citi.com 5de4a877839489c327e0394baf688646 ibmwebspheremqgts_qm2.qc3.citi.com 72e3c162f939553dbaea32da1ed171c8 ibmwebspheremqnacitift_qa1.citi.com 545bf4e8fbea434225a867a9718cb8e2 GTTSTBC01_qmv75.nam.nsroot.net 023bff13cc02902adecce0cd9b144b9c GTTSTDIG01_qmv75.nam.nsroot.net 136e699ffeb857233ab46ad02d1fc669 ibmwebspheremqgts_gateway_qm2.cte.citi.com 501620764596f68637b131eb6de391a7 ibmwebspheremqgts_qm2.cte.citi.com 4c0a876b6c1fa9ccc360bea156b34c26 GTAEMEFD_QM02.SIT_qmv75.nam.nsroot.net 71ee9b56b049f1e51ac742475c878fe0 ibmwebspheremqgts_gateway_qm1.qc3.citi.com 70ec2937d2abbe244787d899b7641f1b ibmwebspheremqsspiwh_qm.qc.citi.com 4710c7204f19edd8685e916d91b33122 ibmwebspheremqairs_prpc_qm.citi.com 4ba9aeb11af344412eb4f2dd6185374e s3uat_hrss.nam.nsroot.net 571da8288bd4ff004cbc027c75d254b6 digitalopsuat_hrss.nam.nsroot.net 3cae9778b29849939e9e3bb05b4682cc GTAEMEFD_QM.DIT_qmv75.nam.nsroot.net 121983f622acb7e712f6518661a80fc6 ibmwebspheremqairs_prpc_qm.prf.citi.com 049a6bb7aebdae5866a5ab2962e5991b ibmwebspheremqaltophub_qm_sit.citi.com 76ce708af333edd5f576fd533fd49ad7 ibmwebspheremqaltophub_qm_uat.citi.com 440948904511ef0eaaafa116bcc1c66a ibmwebspheremqnacitift_qm.citi.com 04a6105a0837a2dfc4c85780b5d2ce05 ibmwebspheremqaltophub_qm_pte.citi.com 585f6455a77df0affe85bc7884967711 ibmwebspheremqsgsmiap_qm.citi.com 57ba5e495408cbdc001798b4eeb1b1af GTDEVBC01_qmv75.nam.nsroot.net 7c49bbb9040fb9de681679f9290ebcf9 GTDEVDIG01_qmv75.nam.nsroot.net 3dcac4045e93e60d89c1894bd1e7b22f ibmwebspheremqfpsnam_prod.citi.com 0d1075a89ee84c663225b75f60c91f6b ibmwebspheremqfpsnam_pte.citi.com 49603ce0f150bbaaeb566baf1dcff412 ibmwebspheremqflaecomm_qm.dv.citi.com 5f244c0ff6640e0005a68cac3a937e4c ibmwebspheremqflaecomm_qm.uat.citi.com 2dbcfc012f039d1419033e88fee218 ibmwebspheremqfpsnam_prod.citi.com 1d0d0d2e1c399bd5200e5a28a595a61f MDLKBCG1_qmv75.nam.nsroot.net 3e07617c681e72f089d0553f644c2a38 MDLKBCG2_qmv75.nam.nsroot.net 27b66bd1ec0b8f417af1eb01fc0b32aa MDLBBC02_qmv75.nam.nsroot.net 718264467a077123a73efe9bcb5e7897 MDLDBC02_qmv75.nam.nsroot.net 30ab985485689a9c9033ba8941675fc5 MDLDBC01_qmv75.nam.nsroot.net 717e1691b8a436d0d8bf424cd414d6d7 MDLBBC01_qmv75.nam.nsroot.net 0e3cbe7c51dbaea504bb17c8a9bcc9f8 ibmwebspheremqaltophub_qm.citi.com 1bcc8d492cf5585fffaecb843723366c ctb_chinauat.goldpac.apac.nsroot.net 667606eacb8d2986553523fc82e25412 ctb_china.goldpac.apac.nsroot.net 3ecbba07cc168bb2bb24cc458fc54677 GTAEMF4_QM.DIT_qmv75.nam.nsroot.net 5c80b9300c7d80ec17f4b886a255b3e8 GTAEMF4_QM.SIT_qmv75.nam.nsroot.net 5bb0dda22fa3d1fad934e7e6d2a8f618 GTUATFUS09_qmv75.nam.nsroot.net 12d6ebd1842f3492b11879a8067ae1e1 GTUATFUS10_qmv75.nam.nsroot.net 5393895062283db17808298b006d7bf9 GTDITORG01_qmv75.nam.nsroot.net 073eb8bb276c076d5ab2873cd868b060 GTSITORG01_qmv75.nam.nsroot.net 4a87d21901bbaf74e423c3fe39ee9af1 GTUATORG01_qmv75.nam.nsroot.net 49cb1497eab51fd0db659b70d602fbbe RNTSTBC01_qmv75.nam.nsroot.net 1c504fb75ae0ace1a3ab056daf4d15f9 GTUATORG02_qmv75.nam.nsroot.net 45fec8e330ca898b2c70ef04a70997b0 GTUATORG03_qmv75.nam.nsroot.net 1ab54f3dafddb286c3240705bdf52364 GTUATORG04_qmv75.nam.nsroot.net 4a0f792a3f988458f7ffa7f48a302966 SWDEVBBY01_qmv75.nam.nsroot.net 48c089a7fbb064ea3ee3c8c9f57f519f SWUATBBY01_qmv75.nam.nsroot.net 2c5c527ebbbd99f8e33c9bd3088b795b SWDEVBBY01_qm_75.nam.nsroot.net 0a9bb0cf825c73161c8e790e7a9ddea6 MDLCBC01_qmv75.nam.nsroot.net 0445a6e880b7d965d7bd3b70450df4e3 MDLCBC02_qmv75.nam.nsroot.net 016d718dc8ccdbb149cda4946a2815f6 FRCITIFT_QA1_qm_80.nam.nsroot.net 0599ca01ebd7fbd042def661f94f261f GTMSTEF01_qm_75.nam.nsroot.net 0e9c71bec237e25274a991e3e3e7eb3b GTUATEF01_qm_75.nam.nsroot.net 0d4cb80b569f8c6edb7082957fbd15f8 FRCITIFT_QA1_qm_80.nam.nsroot.net 0440d23983adacb618245e9696c3e971 ibmwebspheremqflaecomm_qm.citi.com 06f9c0c9d20736a1d2b785d2c2258263 ibmwebspheremqfxclick_qm.uat.citi.com 04f7b271d5963bc7f835aa7bbf98d53d ibmwebspheremqsspiwh_qm.dv.citi.com 09ebb8e8cac3f5a6d741a7f1d70d9ed7 FRCITIFT_QA1_qm_80.nam.nsroot.net 01db42ef9ffb64f80f050a3b78bf53cc ibmwebspheremqflaecomm_qm.dv.citi.com 04f23e098b25c65fecea26f670715c66 ibmwebspheremqflaecomm_qm.uat.citi.com 0fc89b61c081d3250e29834dae2091f0 hcasbat_pkr.apac.nsroot.net 02fd6dfd1da86d3ccb1cb47b6ad0b2ed GTISTEF01_qm_75.nam.nsroot.net 06edc3b18756f1ad4e67e9828dce17f5 ibmwebspheremqsec_lending_qm.uat.citi.com 03b92e4902c1fa589ea2f9a52f5ce7d9 ibmwebspheremqglobal_fx_qm.uat.citi.com 04f44b9da40728aca4e7f70ca5b59a44 TS2MDLKBCG1_qm_75.nam.nsroot.net 0403cb81bf9e3e171572374afc27bb5a TS2MDLKBCG2_qm_75.nam.nsroot.net 06d73ea2f953d40bce63ac44fd02ce57 GTAEMEFD_QM01.SIT_qm_80.nam.nsroot.net 0d481f776599fb97c9ae291d41ca6146 GTAEMEFD_QM02.SIT_qm_80.nam.nsroot.net 0b10421f3a355afe18beed52506aa397 ibmwebspheremqopxp1_qm.uat.citi.com 0caeaf41a737f6393a497bdd4de08b3a ibmwebspheremqopxp1_qm.citi.com 01b46df5c83fbff71b283479c607fa2f GTUATEFD01_qm_80.nam.nsroot.net 08ba76e6a99345b8976b7294c40de917 citibank_uat.banctecportal.eur.nsroot.net 097ac7c528d6ab64ad9e6a13f5dd78a6 GTUATEFD02_qm_80.nam.nsroot.net 07c481ba81706471285b2ed650b798fe Digicert_CSI_49095_CITIFTP01.citigroup.com 0439c9d87aad1e65fae2776e852b33c3 ibmwebspheremqairs_prpc_qm.dv.citi.com 01050853b6600d85dedcc3dcbcf6f797 ibmwebspheremqicg_gateway_qm1.uat1.citi.com 01a504c9ed7efd39ac258ccb701d5c76 ibmwebspheremqicg_gateway_qm1.qc1.citi.com 09ad340e06534c03eb94941e2e3c49d3 ibmwebspheremqicg_qm1.uat1.citi.com 0bf9634d5ade5166d782b0200e550646 ibmwebspheremqicg_qm1.qc1.citi.com 06021a0a535c1be4d534a8e388e409c6 ibmwebspheremqicg_qm1.pte1.citi.com 0ed88ea5519302dc4f74ea285570f37e ibmwebspheremqicg_qm2.pte1.citi.com 09395bdf2be72ff75ecdb2fb90a8c110 ibmwebspheremqicg_gateway_qm1.pte1.citi.com 055af2c907a350f5aa284b5e1775757a ibmwebspheremqicg_gateway_qm2.pte1.citi.com 027f46bc3026df2c6e269d1f76ac3e1c ibmwebspheremqicg_gateway_qm1.cte1.citi.com 0ffd67140baa6ca1710fc228a13250c1 ibmwebspheremqicg_qm1.cte1.citi.com 06ca8d983c00f95c18e50b4428050948 ibmwebspheremqfxclick_qm.citi.com 0e05059c3ea54dfff6376848f7277d5e ibmwebspheremqna_citift.uat.citi.com 01e8a6223fcfc6bde40aa03b10f16635 ibmwebspheremqicg_qm1.citi.com 085051041a2d03772d161506da4e4807 ibmwebspheremqicg_qm2.citi.com 0f3bebafefc7f0954db6e681317eda23 ibmwebspheremqicg_gateway_qm1.citi.com 0f64123e812e8892382151d9023419de ibmwebspheremqicg_gateway_qm2.citi.com 07b17885721dbe51973c235c45827742 ibmwebspheremqnacitift_qa1.citi.com 0b85bd658a7b8cdc9de2b05130ad2046 ibmwebspheremqpfmuat_qm.citi.com 0ca92b28c430004e506776305bfbac18 ibmwebspheremqpfmprod_qm.citi.com 065f996302a36ed14ff9fd73a318348f ibmwebspheremqicg_qm2_cash.pte1.citi.com 09d0c4167ab197e5aef5903e38fc2012 ibmwebspheremqicg_gateway_qm2_cash.pte1.citi.com 09589630ecc78fa63aed39df388c5715 ibmwebspheremqicg_qm1_cash.pte1.citi.com 08a96e644569eef9cd077075b6c5a52c ibmwebspheremqicg_gateway_qm1_cash.pte1.citi.com 0996cd28d287b1935525efa45c9752ee ibmwebspheremqicg_gateway_qm2_cash.pte1.citi.com 0bdb7905b7633108253869656a399658 ibmwebspheremqicg_qm2_cash.pte1.citi.com 03ba62667ba91aec3177832fcfc1e481 ibmwebspheremqicg_gateway_qm2_cash.pte1.citi.com 0bca2e109e06dee5c01efcf33e5cadc4 ibmwebspheremqicg_qm1_gce.pte1.citi.com 039502d67843adf06572786ec27e7680 ibmwebspheremqicg_qm1_imass.pte1.citi.com 0bdee607a046c78f603ce9ecd49a6bfe ibmwebspheremqicg_qm2_imass.pte1.citi.com 0ef5bd3f1294a84bf3ddfca22c0d8463 ibmwebspheremqicg_gateway_qm2_gce.pte1.citi.com 07c9ebb98f2f6a116b56235e0a9ec2dd ibmwebspheremqicg_gateway_qm2_imass.pte1.citi.com 051b5f8318ac8ca030d45df1d13b3b3a ibmwebspheremqicg_qm2_gce.pte1.citi.com 066f31cdc3abc5823787e4e9fbd07236 ibmwebspheremqicg_gateway_qm1_gce.pte1.citi.com 0a858e42ead16b45f4542846f0cedd1a ibmwebspheremqicg_gateway_qm1_imass.pte1.citi.com 08a09859006d366fbff424186285df13 ibmwebspheremqsecfin_qm.sit.citi.com 018bdb185d72b593f3a3ee864a2e209a ibmwebspheremqsecfin_qm.uat.citi.com 090684c66fa6c9cef185d70a51c1e6a4 ibmwebspheremqsecfin_qm.dev.citi.com 0ce35836ff6561a5e01cee1f42a8a6ed ibmwebspheremqsecfin_qm.citi.com 098f0557de55630ee570ae20a18d471f ibmwebspheremqsspiwh_qm.pte.citi.com 0476e2e475024da9b69bd97e70f9f9ac ibmwebspheremqicg_qm1_cash.citi.com 04cf97e1c2a4f64a4c0977e9de7a3942 ibmwebspheremqicg_qm1_gce.citi.com 0a051fca4ce7ff4ab5669f48f3610d30 ibmwebspheremqicg_qm1_imass.citi.com 0ea2a109fe2e01fbcde24dc633c5c1a2 ibmwebspheremqicg_qm2_cash.citi.com 0c21f2b8bcc892ac13d69917167c4b97 ibmwebspheremqicg_qm2_gce.citi.com 063d6d48a6bfe7caae23d1ced5c34165 ibmwebspheremqicg_gateway_qm1_cash.citi.com 068d12e6779fdae1884f906d905b4ead ibmwebspheremqicg_qm2_imass.citi.com 0cada13aee9043d91956bfe03af32056 ibmwebspheremqicg_gateway_qm1_gce.citi.com 03d52c563bafc60f65f66c0436c4fb4c ibmwebspheremqicg_gateway_qm1_imass.citi.com 095b2e8d5f635436da33c9e07f41f54a ibmwebspheremqicg_gateway_qm2_cash.citi.com 0687ba230aea13848019452c0d0550b8 ibmwebspheremqicg_gateway_qm2_imass.citi.com 04e904fe23ed4951abe269b22bef22ea ibmwebspheremqicg_gateway_qm2_gce.citi.com 0ac723ea50045020c215126a502d77e2 ibmwebspheremqglobal_fx_qm.citi.com 0cea3273c91a511e9c372fc9be68022f ibmwebspheremqsec_lending_qm.citi.com 0b48a2d07b5ec913a4131efebf7b1409 ibmwebspheremqsec_lending_qm.dv.citi.com 071b6cc499e2fc74ace72fe29f197ac5 ibmwebspheremqoasys_qm.citi.com 0f471e510cacd439cf3bb2f11da0e314 ibmwebspheremqoasys_qm.uat.citi.com 096b0908ba19136f345e4648864c1977 ibmwebspheremqicg_gateway_qm1_gce.pte1.citi.com 0bc136c67616c0f02eb72cba26b472c4 ibmwebspheremqicg_gateway_qm2_gce.pte1.citi.com 0da0f24b883f9a2b8b90418217ae5f96 ibmwebspheremqsspiwh_qm.uat.citi.com 01d30072f46a91994609fcb2bd979333 ibmwebspheremqnacitift_qm.citi.com 0921f04a0d7fa518f12bf45f098b5a09 ibmwebspheremqequity.zeus_qm5.citi.com 05c9ecd38fb0609d6f29ff87738e4b7a

Wayne Thayer

Comment 1

•

6 years ago

Thanks Jeremy.

Assignee: wthayer → jeremy.rowley

Summary: DigiCert - Underscore - Company 5 → DigiCert: Underscores - Company 5

Whiteboard: [ca-compliance]

Ryan Sleevi

Comment 2

•

6 years ago

> Changing the certificate requires a change in their tooling, which occurs at a channel level. This seems particularly concerning. What steps are being taken to mitigate this risk and thus ensure that, if this customer were to obtain a misissued certificate, the same logic would not also be applied? > 27. April 30, 2018 – Proposal on when all certs will be revoked. Could you explain how this date was selected and what factors were considered?

Flags: needinfo?(jeremy.rowley)

Wayne Thayer

Updated

•

6 years ago

Summary: DigiCert: Underscores - Company 5 → DigiCert: Underscores - Citi

Jeremy Rowley

Reporter

Comment 3

•

6 years ago

Based on the conversation on the forum, the post from Wayne, and instruction from Google, our understanding is there is no exception or extension possible and the expectation is that all CAs will revoke the certificates on the date required by the BRs. We hope that the same rules/penalties/expectations will be applied to those CAs who fail to revoke on the required date. Thank you for the discussion. Although we were hoping for more compassionate results, we do appreciate the feedback and clarification on expectations.

Flags: needinfo?(jeremy.rowley)

Jeremy Rowley

Reporter

Comment 4

•

6 years ago

Seems there was a mis-communication on the intent of the discussions. We will post an update answering Ryan's questions tomorrow. Please ignore my previous post.

Brenda Bernal

Assignee

Comment 5

•

6 years ago

Here are the crt.sh links for the certs that are in scope:

Ryan Sleevi

Comment 6

•

6 years ago

Jeremy: Can you confirm whether an incident occurred and ensure that all of the details of affected certs are accurate?

Flags: needinfo?(jeremy.rowley)

Brenda Bernal

Assignee

Comment 7

•

6 years ago

Hi Ryan, I will be responding to provide updates on the underscore incidents. I can confirm that an incident has occurred and the details provided are accurate to the best of our knowledge. Our planned extension to revoke the remaining certificates (listed above) is 30-April-2019 (correction on the 2018 date). We will provide periodic updates as progress is made.

Ryan Sleevi

Updated

•

6 years ago

Assignee: jeremy.rowley → brenda.bernal

Status: UNCONFIRMED → ASSIGNED

Ever confirmed: true

Brenda Bernal

Assignee

Comment 8

•

6 years ago

Update: All remaining underscore certs for this customer has been revoked as of today (30-April-2019).

Wayne Thayer

Updated

•

6 years ago

Status: ASSIGNED → RESOLVED

Closed: 6 years ago

Resolution: --- → FIXED

Nobody; OK to take it and work on it

Updated

•

2 years ago

Product: NSS → CA Program

David Lawrence [:dkl]

Updated

•

2 years ago

Whiteboard: [ca-compliance] → [ca-compliance] [ev-misissuance]

Bugzilla

DigiCert: Underscores - Citi

Categories

(CA Program :: CA Certificate Compliance, task)

Tracking

(Not tracked)

People

(Reporter: jeremy.rowley, Assigned: brenda.bernal, NeedInfo)

References

Details

(Whiteboard: [ca-compliance] [ev-misissuance])

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Comment 5

Comment 6

Comment 7

Updated

Comment 8

Updated

Updated

Updated