Closed Bug 1521623 Opened 3 years ago Closed 3 years ago

Amazon: Failure to comply with RFC 5280


(NSS :: CA Certificate Compliance, task)

Not set


(Not tracked)



(Reporter: trevolip, Assigned: trevolip)


(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

We have done an initial analysis on potential impact and have determined it is low. However, we are reaching out to customers to revoke their certificates. We will update this ticket with more details as our investigation progresses.

*Note: Our reasoning for the low risk is that the primary use of this potential vulnerability is to redirect traffic. However because our certificates are only used on AWS resources the same entity owns both the certificate and the resources so there are much easier ways for an entity to redirect traffic prior to this. There are also no know exploits of this vulnerability.

Actual results:

Amazon Trust Services has been notified that we have issued certificates that do not comply with RFC 5280.

Trev: thanks for reporting this. Please provide enough information for Mozilla to assess the risk of this issue as soon as possible.

Assignee: wthayer → trevolip
Ever confirmed: true
Flags: needinfo?(trevolip)
Summary: Failure to comply with RFC 5280 → Amazon: Failure to comply with RFC 5280
Whiteboard: [ca-compliance]

Thanks Wayne, we wanted to make sure we are exercising being prompt in reporting. However, now we that we have done a more thorough analysis of the certificates and our system we have realized that section 7.2 of RFC 8250 doesn't apply here which was the reported violation. We do not perform any unicode encoding so these are not IDNs so the rules about IDNs don't apply in this case.

Based on this we aren't going to revoke certificates.

Flags: needinfo?(trevolip)

Trev: I think you mean RFC 5280? Will you please provide an explanation of what was reported and how your analysis concluded that section 7.2 of RFC 5280 does not apply so that I can feel confident in closing out this bug?

Flags: needinfo?(trevolip)
Group: crypto-core-security

Trev: I assume this is related to the IDNA2008 encoding discussion (linked below) and therefore is invalid because it was decided that this is not clearly a violation of Mozilla policy. Please confirm.

Yes, it is. Sorry for the late reply. When we got the report we did two things in parallel. Reported the issue to security and investigated how to fix it. During our investigation on remediating the issue we realized (like others as you noted) that we aren't performing the encoding.

Flags: needinfo?(trevolip)
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.