Closed Bug 1524449 Opened 5 years ago Closed 5 years ago

Certinomis: validity period >825 days

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jonathan, Assigned: marc.maitre)

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

Certinomis issued and then revoked this certificate with a validity period >825 days. I'm not aware of an incident report.

https://crt.sh/?opt=zlint&id=562748119

Marc: Please provide an incident report, as per https://wiki.mozilla.org/CA/Responding_To_An_Incident

In addition to explaining what happened and how it will be prevented in the future, please explain why an incident report was not filed and what is being done to ensure that future incidents are promptly reported?

Assignee: wthayer → marc.maitre
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(marc.maitre)
QA Contact: kwilson → wthayer
Whiteboard: [ca-compliance]

Hello,

Here is an incident report align the mozilla template :

1/ How your CA first became aware of the problem.
After an error notification from Jonathan

2/ A timeline of the actions your CA took in response.
2018-06-28 12:36:44 : creation of a digital certificate with a validity period of three years
2018-06-28 13:51:48 : revocation of this certificate
2018-06-28 : suppression of the three year parameter for this RA

3/ Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.
Yes the error has been corrected and certificates issued by this CA are now limited to a two years duration

4/ A summary of the problematic certificates.
one certificate "www.digicheck.fr"

5/ The complete certificate data for the problematic certificates.

https://crt.sh/?id=562748119

6/ Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Our RA software delimitate separate registration area for separate Regsitartion Authority. And it allows us a very fine tuning of certificate template per RA. But the consequence is that when there is a change that applies to all or many RA, this change has to be reported in every area.
What happened is that one RA area has been forgotten and remain with a possibility of three years SSL certificates (this is the maximum duration for all our non-SSL certificates).

7/ List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future.
SSL certificates are progressively treated separately of others and we set a test procedure with certificate linting after any change in the configuration of RA.

At this time the same person was in charge of controls and operation, which may explian that no incident report was done.
Now we have separated these two roles and the internal auditor shall now inform the CEO in case of misissuance.

Flags: needinfo?(francois.chassery)

The Certinomis Root CA is being removed from the Mozilla root store in bug 1552374, so I am resolving this bug. Additional comments that may be useful when considering any future application by Certinomis are welcome.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(marc.maitre)
Flags: needinfo?(francois.chassery)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.