(In reply to Ryan Sleevi from comment #11)
Jonathan: That explanation does not explain how it was missed. That is, the CAA checking is orthogonal and unrelated to this certificate, as this certificate had a malformed dNSName.
The request in Comment #9 was an explanation about how these certificates were not detected based on Comment #5. As it stands, I don't believe there is high confidence that CFCA's past examination was correct, and thus it is difficult to believe that there are no further issues.
A path forward on this is to describe what steps CFCA used to scan its existing certificates in Comment #5, why those steps failed to detect the certificates in Comment #7 and Comment #9, and what steps CFCA is taking to:
- Rescan its database of issued certificates
- Understand why the existing scan failed
- Address whatever systemic issues are revealed through that investigation
I highlight this, because a failure of a CA to detect previously misissued certificates, after it has claimed it has scanned them, is a very serious issue, as much or more serious than the misissuance itself. Multiple CAs have been distrusted for failing to detect other certificates they've misissued after an incident, such as those two highlighted, and thus CFCA should endeavor to understand why they also failed, and provide a thorough update to the community about how they will be preventing such failures in the future.
The former "scanning" of the database is based on very basic logic to find obvious mistakes such as "DNS name have invalid character", as CFCA's certificate issuing amount is not very large, we processed applications based on manual double check, which were relied on inner auditor’s skills. This is the reason why the mistake happens.
We understand that it was too weak to find more uncertainty in human eyes such as illegal characters/ blank space/ illegal dnsNames.
We had found that too much relying on manual work is the main reason. The restrict update according to RFC 5280 , IANA TLD limitations, and CA/B Forum BR had been submitted to our R&D engineer. The limitations had been added and modified in the production system. The audit checking tool is still in developing progress, but we simulated the offline environment to check the existing data temporary after that, and and no more valid certificates contains “invalid dnsNames”.
In the future, the CFCA system will do pre-check on every part of the customer inputs automatically according to RFC 5280 , IANA TLD limitations, and CA/B Forum BR and the production system will do the check again as the what the pre-check do.