- How your CA first became aware of the problem
Entrust Datacard was notified that certificates were issued with the IP address in the SAN as a sNSName on January 29, 2019 with an email from Jonathan Rudenberg.
- A timeline of the actions your CA took in response
Jan 29, 2019, 12:51 UTC - Email notification
Jan 30, 2019, 21:15 UTC - Email response stating current plan
Feb 3, 2019, 19:19 UTC - Bug 1524876 opened
Feb 4, 2019, 16:52 UTC - Email notification of bug
Feb 4, 2019, 19:57 UTC - Investigation started
Feb 5, 2019 20:34 UTC - All certificates identified
- Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem
Entrust Datacard stopped issuing these certificate in August 2016. We did have a miss-issuance of 2 certificates after August 2016 which has been reported, https://bugzilla.mozilla.org/show_bug.cgi?id=1448986.
- A summary of the problematic certificates
Through to August 2016, Entrust Datacard issued certificates with the IP address in the SAN dNSName to support a Microsoft browser issue. This was common in the ecosystem. The issue was discussed by Mozilla, https://bugzilla.mozilla.org/show_bug.cgi?id=1148766. It was also discussed by the CA/Browser Forum and the following was posted, https://cabforum.org/guidance-ip-addresses-certificates/. As a result of these discussions, we fixed our issue in August 2016.
Entrust Datacard was unaware that certificates issued in this way should be disclosed or revoked. As such, all certificates allowed to expire.
- The complete certificate data for the problematic certificates
The following certificates were provided to Entrust Datacard by Jonathan Rudenberg:
The following certificates were found through the investigation:
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
This mistake was made to address a browser issue before the CA/Browser Forum Baseline requirements were introduced. The implementation of the Baseline Requirements failed to address this issue. The issue was detected through certificate linting and was address through a patch in August 2016.
- List of steps your CA is taking to resolve the situation
Entrust Datacard patched this issue in August 2016 and uses certificate linting to detect this instance if it occurs again.
All unexpired/unrevoked certificates were revoked on or before February 8, 2019 with the exception of the following certificates:
These certificates are scheduled to be revoked on February 22, 2019.