Closed Bug 1532429 Opened 9 months ago Closed 5 months ago

CFCA: Invalid TLD in SAN

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wayne, Assigned: jonathansshn)

Details

(Whiteboard: [ca-compliance])

Michael Le Bihan on the mozilla.dev.security.policy list pointed out https://crt.sh/?id=1231965201&opt=cablint,x509lint,zlint that has an invalid domain `mail.xinhua08.con in the SAN. [1]

Rufus Buschart responded that he had sent a certificate problem report to CFCA.

Jonathan Sun responded as follows [2]:

Dear Mozilla:
This problem had been confirmed. We contacted the customer and
confirmed this certificate haven't been deployed to production system, no
damage is caused. This certificate had been revoked in March 1, 2019. We had
fixed this bug in February 27 update.

Best wishes!

Jonathan: Please file a full incident report as described at https://wiki.mozilla.org/CA/Responding_To_An_Incident

Also, please respond to the specific questions asked on the list.

[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/0Pf-ExrXaNY/NooJ2L3KAAAJ
[2] https://groups.google.com/d/msg/mozilla.dev.security.policy/X-tJNcTYt5A/rKydmjJCAQAJ

Jonathan: Any updates here?

Flags: needinfo?(jonathansshn)

(In reply to Ryan Sleevi from comment #1)

Jonathan: Any updates here?

  1. Problem Report:
    CFCA recognized this problematic certificate via Michael and Rufus posts in Google and Bugzilla in February 2019.
  2. Timeline:
    February 28,2019: After we received the posts, we immediately checked the CA database and contact the customers. They explained that this certificate hadn’t been deployed on servers and CFCA revoked these this certificate in the same day.
  3. Statement
    CFCA had stopped issuing certificates with this problem.
  4. Summary
    this is the only one certificate with this problem(invalid dnsNames in SAN ),
  5. Certificate Data:
    Please visit https://crt.sh/?id=1231965201&opt=cablint,x509lint,zlint to check the data.
  6. Explanation:
    This problem is due to lack of the "Hard fail" detection mechanism and rely too much on the regulation and skill of employees. So this wrong input is not founded until we are informed.
  7. Steps:
    (1) Update system with hard fail mechanism and this had been finished in February 27,2019.
    (2) Monthly training about BR requirements to employees.
    (3) Monthly inner audit to CFCA EV Root CA to prevent future problems.
    For the former replies in Bugzilla 1524733, we are sorry for missing answer to this Bugzilla. The invalid dnsName problems had been modified since update in February 27th. Thanks again for reminders from Michael, Rufus, Wayne and Ryan.
Flags: needinfo?(jonathansshn)

Jonathan: Why was an update/incident report never provided on this bug? Have you updated your processes and controls to make sure that timely incident reports and responses are provided? CFCA is definitely not the only CA with old bugs needing responses, so it's understandable and unfortunately common, but as part of this delay, it would be good to know how compliance and training is changing to ensure timely and complete incident reports.

Flags: needinfo?(jonathansshn)

(In reply to Ryan Sleevi from comment #3)

Jonathan: Why was an update/incident report never provided on this bug? Have you updated your processes and controls to make sure that timely incident reports and responses are provided? CFCA is definitely not the only CA with old bugs needing responses, so it's understandable and unfortunately common, but as part of this delay, it would be good to know how compliance and training is changing to ensure timely and complete incident reports.

Hi,Ryan:

I'm Oliver, In view of our personnel changes, Jonathan's incident report work is now fully inherited by me. The update/incident report has been reply by Jonathan, but we are apologize for reports and responses lately. 
In order to make sure that timely incident reports and responses, we will put more attention on Bugzilla, also, we have updated our system with hard fail mechanism and this had been finished in February 27, 2019. As the same time, we did some work to learn the compliance and training changing. we will take more stringent measures to prevent future problems, such as we had add a second audit process.  
Thanks again for you.

It appears that all questions have been answered and remediation has been completed.

Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Flags: needinfo?(jonathansshn)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.