Closed Bug 1532105 Opened 9 months ago Closed 3 months ago

SECOM: CrossTrust: OU > 64 characters

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: michel, Assigned: h-kamo)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Android 9; Mobile; rv:65.0) Gecko/65.0 Firefox/65.0

Steps to reproduce:

Hello,

I noticed this certificate issued by CrossTrust that has the organizationalUnitName longer than 64.

The certificate: https://crt.sh/?id=343394326&opt=cablint,x509lint,zlint

Summary: CrossTrust: OU > 64 → CrossTrust: OU > 64 characters

Kamo-san: Please provide an incident report, as per https://wiki.mozilla.org/CA/Responding_To_An_Incident

Assignee: wthayer → h-kamo
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(h-kamo)
QA Contact: kwilson → wthayer
Summary: CrossTrust: OU > 64 characters → SECOM: CrossTrust: OU > 64 characters
Whiteboard: [ca-compliance]

Wayne-san,

Let us provide you our incident report.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

2019/03/03 Michel Le Bihan reported on this Bugzilla.
2019/03/05 02:22 We realiezed this incident by an email from the Bugzilla.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events.

2018/02/21 17:00 This certificate was issued.
2019/02/28 23:59 This certifiacte was expired.
2019/03/05 02:22 We realiezed this incident by an email from the Bugzilla.
 The time above is Japan Standard Time(JST).

When we realized this incident by the Bugzilla, this certificate has already been expired thus no action we made on this certificate.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

This certificate pointed out was already expired.
No more certificate with OU having longer than 64 characters will be issued because the system has been configured.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

A summary of this certificate is as below.

2018/02/21 17:00 This certificate was issued.
2019/02/28 23:59 This certifiacte was expired.
 The time above is Japan Standard Time(JST).

We are now investigating whether or not having certificates with OU including longer than 64 characters other than this certificate.
Let us post the result as soon as our investigation is completed.

  1. The complete certificate data for the problematic certificates.

https://crt.sh/?id=343394326

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Because of a bug in the check system of the input data for OU.
No more certificate with OU including longer than 64 characters will be issued because the system has been configured.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

At the periodical maintenance in November 2018, we strengthened DN check of the system for issuing server certificates.
As mentioned above, no more certificate with OU including longer than 64 characters will be issued because the system has been configured.

Thank you for your consideration.

Best regards,
Hisashi Kamo

Flags: needinfo?(h-kamo)

Wayne-san,

Our investigation was completed and No certificate was found.

We are now investigating whether or not having certificates with OU including longer than 64 characters other than this >certificate.
Let us post the result as soon as our investigation is completed.

Thank you for your consideration.

Best regards,
Hisashi Kamo

Flags: needinfo?(wthayer)

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.