Closed Bug 1524094 Opened 5 years ago Closed 5 years ago

Certinomis: invalid DNS names in SAN

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: agwa-bugs, Assigned: marc.maitre)

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

Marc: Please provide an incident report, as per https://wiki.mozilla.org/CA/Responding_To_An_Incident

Assignee: wthayer → marc.maitre
Flags: needinfo?(marc.maitre)
QA Contact: kwilson → wthayer
Whiteboard: [ca-compliance]

Hello,

1/ How your CA first became aware of the problem.

  1. When looking at test certificates after testing our VENAFI connector project
  2. I've been notified by this bug opened by Andrew Ayer and affected to me by Ryan Sleevi.

2/ A timeline of the actions your CA took in response.

2019-01-18 14:32:21 UTC CREATION OF Thomas RISON Test
2019-01-18 14:32:22 UTC REVOCATION OF Thomas RISON Test
2019-01-18 14:37:09 UTC CREATION OF Thomas RISON Test
2019-01-18 14:37:10 UTC REVOCATION OF Thomas RISON Test
2019-01-24 10:09:01 UTC CREATION OF Thomas RISON Test2
2019-01-24 10:09:03 UTC REVOCATION OF Thomas RISON Test2
2019-01-24 13:51:27 UTC CREATION OF Axel BOUKHRIS
2019-01-24 13:51:29 UTC REVOCATION OF Axel BOUKHRIS
2019-01-25 09:13:03 UTC CREATION OF Thomas RISON
2019-01-25 09:13:04 UTC REVOCATION OF Thomas RISON
2019-01-25 09:19:34 UTC CREATION OF Thomas RISON 3
2019-01-25 09:19:36 UTC REVOCATION OF Thomas RISON 3
2019-01-25 14:07:00 UTC CREATION OF Thomas RISON 4
2019-01-25 13:07:10 UTC REVOCATION OF Thomas RISON 4
2019-01-30 15:12 PST bugzilla opened by Andrew Ayer
2019-01-31 06:55 PST bugzilla assigned by Ryan Sleevi
2019-01-31 14:55 UTC notification from Bugzilla Bugzilla-daemon received in marc.maitre@docapost.fr mailbox.

3/ Whether your CA has stopped, or has not yet stopped,

Yes

4/ A summary of the problematic certificates.

7 certificates issued from 2019-01-18 to 2019-01-25
« Axel BOUKHRIS » « Thomas RISON Test” “Thomas RISON 3” “Thomas RISON Test2” “Thomas RISON 4” “Thomas RISON” “Thomas RISON Test”

5/ The complete certificate data for the problematic certificates.

https://crt.sh/?id=1140520168
https://crt.sh/?id=1122237672
https://crt.sh/?id=1142762260
https://crt.sh/?id=1142749513
https://crt.sh/?id=1140030436
https://crt.sh/?id=1122244968
https://crt.sh/?id=1143286247

6/ Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Certinomis is developing a connector for VENAFI software and it is only possible to test it by creating real certificates that are immediately revoked.
We tested three times 18/01, 24/01 and 25/01 and correcting some bugs in between.
The improper DNS name in San is one of the identified bug that has to be fixed, work is in progress

7/ List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future.

The improper DNS name in San is one of the identified bug that has to be fixed, work is in progress

Best regards
Marc MAITRE

Flags: needinfo?(marc.maitre)

Certinomis is developing a connector for VENAFI software and it is only possible to test it by creating real certificates that are immediately revoked.

Please explain this in much more detail. Some questions I have include:

  1. Why are you doing development/testing in your production CA environment?
  2. Why is this not being done in a testing environment?
  3. What system/process was used to issue the certificates?
  4. Were any controls bypassed?

Please do not limit yourself to answering just these questions, the goal is to understand in detail what happened, why it happened, why the misissuance was possible, and how it will be prevented in the future.

We tested three times 18/01, 24/01 and 25/01 and correcting some bugs in between.

After the first misissuance incident on 2019-01-18 did you do an investigation? What were the findings? Why wasn't an incident report filed here?

Flags: needinfo?(marc.maitre)

NOTE: Given the reference to "test" certificates, this incident may be related to bug #1524112.

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

The Certinomis Root CA is being removed from the Mozilla root store in bug 1552374, so I am resolving this bug. Additional comments that may be useful when considering any future application by Certinomis are welcome.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(marc.maitre)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.