Closed Bug 1527423 Opened 7 months ago Closed 2 months ago

DigiCert: P-384,ecdsa-with-SHA512 Certificates

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wayne, Assigned: brenda.bernal)

Details

(Whiteboard: [ca-compliance])

The following list of certificates that violate Mozilla policy section 5.1 were reported to the mozilla.dev.security.policy mailing list:

crt.sh URL(s),notBefore,notAfter,issuer CN,issuer curve,sigAlg
https://crt.sh/?id=252169572 (final),2017-11-08,2020-11-12,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=276033955 (precert); https://crt.sh/?id=498045339 (final),2017-12-11,2019-12-11,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=323384439 (precert),2018-02-05,2019-02-20,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=323318776 (precert),2018-02-05,2019-02-20,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=354276341 (precert),2018-03-13,2020-03-20,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=358905399 (precert),2018-03-18,2019-05-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=368911544 (precert),2018-03-28,2020-04-01,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=399193174 (precert); https://crt.sh/?id=402197763 (final),2018-04-16,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=399645531 (precert),2018-04-17,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402216416 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398690 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397877 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398610 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397769 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398408 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402396037 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397885 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517328 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402217433 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397974 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402217018 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397004 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398058 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397555 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397524 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402396808 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397252 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397571 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402823673 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517952 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=403151317 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402763940 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397086 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402518456 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402216558 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398642 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517313 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402519003 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402217410 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=403149215 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402396723 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397964 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402216780 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398667 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517983 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397774 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398302 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402518168 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405252919 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405428425 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405320043 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405650705 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=407727175 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=408567523 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=407726959 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=408398016 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=407775454 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=445990399 (precert),2018-05-07,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=445990393 (precert),2018-05-07,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506898653 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507076634 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506887565 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506434984 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507076708 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506948039 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506887802 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506948054 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507154802 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506898230 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506948047 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507154823 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507154841 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=522535646 (precert); https://crt.sh/?id=622827391 (final),2018-06-12,2019-08-16,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=606393730 (precert),2018-07-18,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=608042643 (precert),2018-07-23,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=672145352 (precert); https://crt.sh/?id=742428676 (final),2018-08-24,2019-12-11,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=674664493 (precert); https://crt.sh/?id=803624762 (final),2018-08-25,2019-08-29,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=692964713 (precert),2018-08-29,2020-09-02,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=737110826 (precert),2018-09-11,2020-04-22,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=791808156 (precert),2018-09-27,2019-10-02,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1007986939 (precert); https://crt.sh/?id=1012407236 (final),2018-12-07,2020-11-09,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1096256425 (precert),2019-01-09,2020-04-22,DigiCert Global CA G3,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1159190961 (precert),2019-01-30,2020-12-23,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1166047488 (precert); https://crt.sh/?id=1176344626 (final),2019-02-02,2020-12-23,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1173085182 (precert),2019-02-05,2019-06-04,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1176942189 (precert); https://crt.sh/?id=1182457414 (final),2019-02-06,2020-12-18,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512

Brenda: Please provide an incident report, as per https://wiki.mozilla.org/CA/Responding_To_An_Incident

Hi Wayne, I acknowledge the request for an incident report and the notification of the certs listed that are out of compliance with Mozilla policy. We will post an update tomorrow as we are currently investigating. Thank you.

Here is our incident report:

1.How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

On Monday, February 11, 2019, we saw the post on mozilla’s dev security forum from Corey Bonnell on the discovery of valid certificates that were signed with a P-384 sub-CA key suing the ecdsa-with-SHA 512 signature algorithm. These types of certificates were ruled as not allowed per Mozilla Root Policy.

On Tuesday, February 12, 2019, Wayne notified us via opening this bug about the certificates found with this algorithm/key size problem. We acknowledged the request for an incident report on the same day.

2.A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

February 12, 2019 – notification of prohibited certificates via Bugzilla item raised by Wayne; we acknowledged receipt of the report and request for an incident write up.

February 13, 2019 – System block implemented; Digicert is running a complete scan across our systems and will provide an update on the results once the scans complete.

3.Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We have blocked issuance of these types of certificates on Wed, February 13, 2019.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

We had a total of 94 certificates reported to us (including 8 valid and 86 pre-certificates), with the first issue date of Nov 11, 2017 and a last cert issue date of February 6, 2019.

We will provide an update on the results of our scans once complete.

5.The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

crt.sh URL(s),notBefore,notAfter,issuer CN,issuer curve,sigAlg
https://crt.sh/?id=252169572 (final),2017-11-08,2020-11-12,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=276033955 (precert); https://crt.sh/?id=498045339 (final),2017-12-11,2019-12-11,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=323384439 (precert),2018-02-05,2019-02-20,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=323318776 (precert),2018-02-05,2019-02-20,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=354276341 (precert),2018-03-13,2020-03-20,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=358905399 (precert),2018-03-18,2019-05-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=368911544 (precert),2018-03-28,2020-04-01,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=399193174 (precert); https://crt.sh/?id=402197763 (final),2018-04-16,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=399645531 (precert),2018-04-17,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402216416 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398690 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397877 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398610 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397769 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398408 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402396037 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397885 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517328 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402217433 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397974 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402217018 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397004 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398058 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397555 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397524 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402396808 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397252 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397571 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402823673 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517952 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=403151317 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402763940 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397086 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402518456 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402216558 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398642 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517313 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402519003 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402217410 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=403149215 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402396723 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397964 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402216780 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398667 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517983 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397774 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398302 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402518168 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405252919 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405428425 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405320043 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405650705 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=407727175 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=408567523 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=407726959 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=408398016 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=407775454 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=445990399 (precert),2018-05-07,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=445990393 (precert),2018-05-07,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506898653 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507076634 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506887565 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506434984 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507076708 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506948039 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506887802 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506948054 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507154802 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506898230 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506948047 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507154823 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507154841 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=522535646 (precert); https://crt.sh/?id=622827391 (final),2018-06-12,2019-08-16,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=606393730 (precert),2018-07-18,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=608042643 (precert),2018-07-23,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=672145352 (precert); https://crt.sh/?id=742428676 (final),2018-08-24,2019-12-11,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=674664493 (precert); https://crt.sh/?id=803624762 (final),2018-08-25,2019-08-29,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=692964713 (precert),2018-08-29,2020-09-02,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=737110826 (precert),2018-09-11,2020-04-22,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=791808156 (precert),2018-09-27,2019-10-02,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1007986939 (precert); https://crt.sh/?id=1012407236 (final),2018-12-07,2020-11-09,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1096256425 (precert),2019-01-09,2020-04-22,DigiCert Global CA G3,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1159190961 (precert),2019-01-30,2020-12-23,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1166047488 (precert); https://crt.sh/?id=1176344626 (final),2019-02-02,2020-12-23,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1173085182 (precert),2019-02-05,2019-06-04,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1176942189 (precert); https://crt.sh/?id=1182457414 (final),2019-02-06,2020-12-18,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512

6.Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Use of certificates with P-384 and ecdsa-with-SHA512 algorithms was prohibited by Mozilla in February 2017.

At that time, we did not have a dedicated compliance team focused on looking at these rules in detail and conducting a full impact assessment over our systems. We also overlooked the intent of the policy update to mean an exclusion of the P-384/512 algorithm given the post listed the allowed algorithms and certificate key sizes.

7.List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

We are addressing the gaps that resulted in the problematic certificates going undetected with the following controls:

  • We have a dedicated compliance team focused on analysis and review of policy changes and addressing impact broadly across all of our various systems.
  • Apart from the ballots passed through the CAB/F, we are continuously evaluating the checklist of Mozilla policy items and RFC 5280 rules that have been in effect and ensuring that we address these with comprehensive system blocks or updates to our cert checking pre-issuance. This is a continuous work-in-progress and improvements we intend to make.

Update to 4) above, additional certs from scans
SHA-1 Thumbprints:
321772B27B9023ADBA0A0764786DC6089286D20C
1841B29F603AC95F98C3591E5387C8D36DB14100
95AC8768B4CFAAD0AC0BB201150679882837CA4C
093276D1011D4DD091A408B158351D333F1602E5
9EFA39F3BE7C0D5677CEEFC4AF3DE9608F543B72
4E47664564B5804C32AD215AC1AED919FC55465E
078A92DB851100EBD19F6AD8577F20DB4DF5D626
79E299B9D73786B73855C2F860FE37373A5813ED
61FE214B479AF158309B8CB622155D8D890E6EE1
D724121C5A74E908CE69981BBAADD764ED25D0AC
22D28D8C466E205C1A3A5EC6063FDEA73ED4F9E9
EC14C1DC6BAC0055516C15201F1FD185E49934E7
B5A1C92F6F796DDD927D26F373A81B8410430D9C
CC0CA1DF57139DE0E31F2603D2E0D284ECA0D8A5
BB4554F3BCC87DB2F559E98F07EBC4A61FCB8154
8BA3AB80EBB171C80B3558C800A80CDA30DFCBB6
EFA1DB638B2647FDF0B568ACBC6943EBE46DE5EE
DB90E18B6DB74A862C3CFF57B1231DDCAE6F75C8
BC46A6219F5E558069D89063D9573ED832CFAD33
FC66A1140CEDC338318DB4A678BA87CF1FD281E7
6BB53C63D1D8AA66A7A20301FA52CF6A810B17B9
DE243BB2062A30D41BDE39A29604CE2A4B1A97B4
9C3E1E734B8CCEFEAA159458FC0C5E315C83EFE0
7D95510FC520082846461D961278CDBC55190030
F4D8C32C831B7183B4CDFED82B968B2D040F8619
E7669F8D490489C18812F9C3BEA0934B1DB2D39A
078871C82BA0ADD4331342929DE3FC5E53A9EB09
63561BBA0FE689435958ABB83DF09C83799C452D
DB4E44FE9DB45207DEAA907CF8E4B5882D26332D
E333D3FE98CB53161B5328CCFFDC9B43390E4ADD
62C7F3562A5CBF269F4851E3D6AC10F6E7EE8EE3
CE869F711BE86699C0E82452A44EA7D41C615572
9E57F40CBC620023BFDEB29210971A8074C35B2B
7CDED6DC4AA991C9E5411B1D81629432F73BAF5B
ECEB4CF6B4226A25B0232EFFA4B45A13DD42466F
47E8C5C239A9C32EFA291AB7E4569DD63FA9ADB8
B1D77CF2E939129528B94B9A0D164AA22042EBB5
0A134C52E3B01F613A4F73111B49C3702E4C5D99
726F5128EA0188B4E05024BB1713EAF3B015C200
9A02166F1A8C605780BD1182B083EF475D1D69F3
E10A3D8235A2660BA3F9F8A382244521B2C9209D
7BF9A4FB9A1A62B73C3AC3537EAD1EADCF12F036
46752C4AECDF6C0770B18D42D22F82ED273F8CCF
2AABE715977E553E204FB6C995A02374AB31A306
F1EFD7351F41521609E3DCDC8F84582D8610313C
F384ECA05FEE469F74B7465F1353B13F3110A2A3
1F59EED2C5CD2D5C23CF0FD3A8715D9E19A1E5B8
501501E9C168514CBD23944796D2022CB812FC71
89323EA74D7DAAA211F9C3EC2F0361120A074ED0
843193F55611543AD83C2AC0AB009ADDC0867CE9
BF6566E71F57FD224B5B0B83512D849AE3110265
941AD6DAADBB652E2B26CD8A9132BDC0F98308F4
308AE12F1E48ABCD3152F7B424E89BC76F9C8414
0CBEEB80BFF520FB2B39F42F3D136ABE29C4106E
A714237AFEB888E8B5A242EAB867A5E9CB839F81
E3A4E6D31CD9D79A6030289C0906E5512F0947B1
F18032C6C267D07AB4158A83DEE083BBF5FA4C44
BCD47713F3CAF8DB3844653999BCD6E8E70AC272
46CB6F522862F75B172C5428D38D37EADD4DD909
F985207EE17C7A89AAE76817A022FA0BF68C95B1
7CD01B5C31F88E24B3C827584372EB0403ED9491
98D6787F2965669F86066D1ACEEAC4265FEF91B0
305AEA841606DA1810664CA334B54C601DB2FBE6
B6190427268D8F12BB6FA4067ED9D530624C3E8F
52840BC4B27B8CDCA080F3B38A83CEE8DE1599CE
6F94EF603A633DB67F4321D5CB2B50B35B39099A
5E22867A0B2DDF2543A5E960B65EEA610D2F484A
150BD45F2CE90C9B9AB63870CFB74FDA77E65FA4
4215BA7666750AE5ABAD519DF5767B10BDEA2D14
52EEE14B6AA11A76E8F977008DB67AFD7855AF00
8C114625208324744189EC31E47E4D98637AFA4B
E2F05D790BF2D52656FFF5F4E76913BD6CB92F91
0003CFF1F4C5D49DDD42ECD9204CB69AFE7E6E20
8EC5B5E5EBB00426B7A4F74DC1147974602DB2DF
305CD8CDD94D30FF26A2A993A8B14F51CAC99666
BE3E7656705F17231768C817341FA79D5E14A0C2
FA50665937DE47A0AFA36F08F744150783C51CDB
F47D394E865BFA292ADC74F33EC8398B79349C3A
214C39564D9E3B77B050B28B955F34144BD77B01
DD6820C4B918A728CCA94A9A1C16C58DDBDF3A08
E4E85975440AC76D3FBE57ADD91598EBA933A5D5
831CD6BD3C64453C7FAA690CDB67A26C6E151E6A
BE90B19FCD73CB472A9D5EF23D3708696F678693
A244529149BD043E2DC20ECFED2C21AD18765209
284C70106FBB4E5D942FF2F18E76B3761F9B4045
59DFD96205A66DF1CD7859CA08D3C6BC0B9E64C1
B582413CF795A283A40FFE336B1767099095DA63
1DD8DED65F77F70D52827EC0737843EDF8C6480D
690BBFBB8F872B479135967AB6CA3310B7C49D40
83A885DA624DC2731FD8C8D0E47B7375BA8DEF6F
9C0D5A9E98DBF0C3237B511652BAE5469D0EE382

I'm having trouble finding some of these thumbprints - e.g. https://crt.sh/?q=47E8C5C239A9C32EFA291AB7E4569DD63FA9ADB8

Am I missing something?

Flags: needinfo?(brenda.bernal)

Ryan, Let me post the actual crt.sh links and get back to you on this. Thanks.

Flags: needinfo?(brenda.bernal)
Flags: needinfo?(brenda.bernal)

Ryan, sorry for the delay; here are the crt.sh links:
https://crt.sh/?q=321772B27B9023ADBA0A0764786DC6089286D20C
https://crt.sh/?q=1841B29F603AC95F98C3591E5387C8D36DB14100
https://crt.sh/?q=95AC8768B4CFAAD0AC0BB201150679882837CA4C
https://crt.sh/?q=093276D1011D4DD091A408B158351D333F1602E5
https://crt.sh/?q=9EFA39F3BE7C0D5677CEEFC4AF3DE9608F543B72
https://crt.sh/?q=4E47664564B5804C32AD215AC1AED919FC55465E
https://crt.sh/?q=078A92DB851100EBD19F6AD8577F20DB4DF5D626
https://crt.sh/?q=79E299B9D73786B73855C2F860FE37373A5813ED
https://crt.sh/?q=61FE214B479AF158309B8CB622155D8D890E6EE1
https://crt.sh/?q=D724121C5A74E908CE69981BBAADD764ED25D0AC
https://crt.sh/?q=22D28D8C466E205C1A3A5EC6063FDEA73ED4F9E9
https://crt.sh/?q=EC14C1DC6BAC0055516C15201F1FD185E49934E7
https://crt.sh/?q=B5A1C92F6F796DDD927D26F373A81B8410430D9C
https://crt.sh/?q=CC0CA1DF57139DE0E31F2603D2E0D284ECA0D8A5
https://crt.sh/?q=BB4554F3BCC87DB2F559E98F07EBC4A61FCB8154
https://crt.sh/?q=8BA3AB80EBB171C80B3558C800A80CDA30DFCBB6
https://crt.sh/?q=EFA1DB638B2647FDF0B568ACBC6943EBE46DE5EE
https://crt.sh/?q=DB90E18B6DB74A862C3CFF57B1231DDCAE6F75C8
https://crt.sh/?q=BC46A6219F5E558069D89063D9573ED832CFAD33
https://crt.sh/?q=FC66A1140CEDC338318DB4A678BA87CF1FD281E7
https://crt.sh/?q=6BB53C63D1D8AA66A7A20301FA52CF6A810B17B9
https://crt.sh/?q=DE243BB2062A30D41BDE39A29604CE2A4B1A97B4
https://crt.sh/?q=9C3E1E734B8CCEFEAA159458FC0C5E315C83EFE0
https://crt.sh/?q=7D95510FC520082846461D961278CDBC55190030
https://crt.sh/?q=F4D8C32C831B7183B4CDFED82B968B2D040F8619
https://crt.sh/?q=E7669F8D490489C18812F9C3BEA0934B1DB2D39A
https://crt.sh/?q=078871C82BA0ADD4331342929DE3FC5E53A9EB09
https://crt.sh/?q=63561BBA0FE689435958ABB83DF09C83799C452D
https://crt.sh/?q=DB4E44FE9DB45207DEAA907CF8E4B5882D26332D
https://crt.sh/?q=E333D3FE98CB53161B5328CCFFDC9B43390E4ADD
https://crt.sh/?q=62C7F3562A5CBF269F4851E3D6AC10F6E7EE8EE3
https://crt.sh/?q=CE869F711BE86699C0E82452A44EA7D41C615572
https://crt.sh/?q=9E57F40CBC620023BFDEB29210971A8074C35B2B
https://crt.sh/?q=7CDED6DC4AA991C9E5411B1D81629432F73BAF5B
https://crt.sh/?q=ECEB4CF6B4226A25B0232EFFA4B45A13DD42466F
https://crt.sh/?q=47E8C5C239A9C32EFA291AB7E4569DD63FA9ADB8
https://crt.sh/?q=B1D77CF2E939129528B94B9A0D164AA22042EBB5
https://crt.sh/?q=0A134C52E3B01F613A4F73111B49C3702E4C5D99
https://crt.sh/?q=726F5128EA0188B4E05024BB1713EAF3B015C200
https://crt.sh/?q=9A02166F1A8C605780BD1182B083EF475D1D69F3
https://crt.sh/?q=E10A3D8235A2660BA3F9F8A382244521B2C9209D
https://crt.sh/?q=7BF9A4FB9A1A62B73C3AC3537EAD1EADCF12F036
https://crt.sh/?q=46752C4AECDF6C0770B18D42D22F82ED273F8CCF
https://crt.sh/?q=2AABE715977E553E204FB6C995A02374AB31A306
https://crt.sh/?q=F1EFD7351F41521609E3DCDC8F84582D8610313C
https://crt.sh/?q=F384ECA05FEE469F74B7465F1353B13F3110A2A3
https://crt.sh/?q=1F59EED2C5CD2D5C23CF0FD3A8715D9E19A1E5B8
https://crt.sh/?q=501501E9C168514CBD23944796D2022CB812FC71
https://crt.sh/?q=89323EA74D7DAAA211F9C3EC2F0361120A074ED0
https://crt.sh/?q=843193F55611543AD83C2AC0AB009ADDC0867CE9
https://crt.sh/?q=BF6566E71F57FD224B5B0B83512D849AE3110265
https://crt.sh/?q=941AD6DAADBB652E2B26CD8A9132BDC0F98308F4
https://crt.sh/?q=308AE12F1E48ABCD3152F7B424E89BC76F9C8414
https://crt.sh/?q=0CBEEB80BFF520FB2B39F42F3D136ABE29C4106E
https://crt.sh/?q=A714237AFEB888E8B5A242EAB867A5E9CB839F81
https://crt.sh/?q=E3A4E6D31CD9D79A6030289C0906E5512F0947B1
https://crt.sh/?q=F18032C6C267D07AB4158A83DEE083BBF5FA4C44
https://crt.sh/?q=BCD47713F3CAF8DB3844653999BCD6E8E70AC272
https://crt.sh/?q=46CB6F522862F75B172C5428D38D37EADD4DD909
https://crt.sh/?q=F985207EE17C7A89AAE76817A022FA0BF68C95B1
https://crt.sh/?q=7CD01B5C31F88E24B3C827584372EB0403ED9491
https://crt.sh/?q=98D6787F2965669F86066D1ACEEAC4265FEF91B0
https://crt.sh/?q=305AEA841606DA1810664CA334B54C601DB2FBE6
https://crt.sh/?q=B6190427268D8F12BB6FA4067ED9D530624C3E8F
https://crt.sh/?q=52840BC4B27B8CDCA080F3B38A83CEE8DE1599CE
https://crt.sh/?q=6F94EF603A633DB67F4321D5CB2B50B35B39099A
https://crt.sh/?q=5E22867A0B2DDF2543A5E960B65EEA610D2F484A
https://crt.sh/?q=150BD45F2CE90C9B9AB63870CFB74FDA77E65FA4
https://crt.sh/?q=4215BA7666750AE5ABAD519DF5767B10BDEA2D14
https://crt.sh/?q=52EEE14B6AA11A76E8F977008DB67AFD7855AF00
https://crt.sh/?q=8C114625208324744189EC31E47E4D98637AFA4B
https://crt.sh/?q=E2F05D790BF2D52656FFF5F4E76913BD6CB92F91
https://crt.sh/?q=0003CFF1F4C5D49DDD42ECD9204CB69AFE7E6E20
https://crt.sh/?q=8EC5B5E5EBB00426B7A4F74DC1147974602DB2DF
https://crt.sh/?q=305CD8CDD94D30FF26A2A993A8B14F51CAC99666
https://crt.sh/?q=BE3E7656705F17231768C817341FA79D5E14A0C2
https://crt.sh/?q=FA50665937DE47A0AFA36F08F744150783C51CDB
https://crt.sh/?q=F47D394E865BFA292ADC74F33EC8398B79349C3A
https://crt.sh/?q=214C39564D9E3B77B050B28B955F34144BD77B01
https://crt.sh/?q=DD6820C4B918A728CCA94A9A1C16C58DDBDF3A08
https://crt.sh/?q=E4E85975440AC76D3FBE57ADD91598EBA933A5D5
https://crt.sh/?q=831CD6BD3C64453C7FAA690CDB67A26C6E151E6A
https://crt.sh/?q=BE90B19FCD73CB472A9D5EF23D3708696F678693
https://crt.sh/?q=A244529149BD043E2DC20ECFED2C21AD18765209
https://crt.sh/?q=284C70106FBB4E5D942FF2F18E76B3761F9B4045
https://crt.sh/?q=59DFD96205A66DF1CD7859CA08D3C6BC0B9E64C1
https://crt.sh/?q=B582413CF795A283A40FFE336B1767099095DA63
https://crt.sh/?q=1DD8DED65F77F70D52827EC0737843EDF8C6480D
https://crt.sh/?q=690BBFBB8F872B479135967AB6CA3310B7C49D40
https://crt.sh/?q=83A885DA624DC2731FD8C8D0E47B7375BA8DEF6F
https://crt.sh/?q=9C0D5A9E98DBF0C3237B511652BAE5469D0EE382

Flags: needinfo?(brenda.bernal)
Flags: needinfo?(wthayer)
QA Contact: kwilson → wthayer

It appears that questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.