Closed Bug 1544722 Opened 5 years ago Closed 5 years ago

SECOM: certificate for which “L” and “ST” not set

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: h-kamo, Assigned: h-kamo)

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

We investigated and found the certificate for which “L” and “ST” not set.
We contacted the customer for revocation of the certificate.
https://crt.sh/?id=203300823&opt=cablint

Here is our incident report.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

The problem certificate was found in our investigation and contacted the customer to revoke the certificate on March 6, 2019.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2016/02/03 This certificate was issued.
2019/03/06 The problem certificate was found in our investigation.
2019/03/15 The problem certificate was revoked.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

2019/03/15 The problem certificate was revoked.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

2016/02/03 This certificate was issued.
2019/03/15 The problem certificate was revoked.

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?id=203300823&opt=cablint

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Because of a bug in the check system of the input data for “L” and “ST”.
No more certificate will be issued because the system has been configured at the maintenance work on November 2018.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

No more certificate will be issued because the system has been configured at the maintenance work on November 2018.
Let us supplement that the errors described at
https://crt.sh/?id=203300823&opt=cablint were fixed.
(“SAN” on November 2018 and “AIA” on August 2017)

Thank you for your consideration.

Best regards,
Hisashi Kamo

(In reply to Hisashi Kamo from comment #0)

Thank you for this incident report.

We investigated and found the certificate for which “L” and “ST” not set.
We contacted the customer for revocation of the certificate.
https://crt.sh/?id=203300823&opt=cablint

Here is our incident report.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

The problem certificate was found in our investigation and contacted the customer to revoke the certificate on March 6, 2019.

Why did an investigation take place on 03/06?

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2016/02/03 This certificate was issued.
2019/03/06 The problem certificate was found in our investigation.
2019/03/15 The problem certificate was revoked.

Please explain why this certificate was not revoked in the time required by BR section 4.9.1.1 and how SECOM will prevent future revocation delays?

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

2019/03/15 The problem certificate was revoked.

This response does not answer question #3.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

2016/02/03 This certificate was issued.
2019/03/15 The problem certificate was revoked.

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?id=203300823&opt=cablint

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Because of a bug in the check system of the input data for “L” and “ST”.
No more certificate will be issued because the system has been configured at the maintenance work on November 2018.

Why was this certificate not detected in November 2018? Has SECOM scanned the database of active certificates to verify that no other certificates with the same or similar problems exist?

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

No more certificate will be issued because the system has been configured at the maintenance work on November 2018.
Let us supplement that the errors described at
https://crt.sh/?id=203300823&opt=cablint were fixed.
(“SAN” on November 2018 and “AIA” on August 2017)

Thank you for your consideration.

Best regards,
Hisashi Kamo

Assignee: wthayer → h-kamo
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(h-kamo)
Whiteboard: [ca-compliance]

Wayne-san,

Thank you for your comments.
We are now preparing the answers and let us have some time to post it on next week.

Thank you for your consideration.

Best regards,
Hisashi Kamo

Flags: needinfo?(h-kamo)

Wayne-san,

Thank you for your comments.
Please let us answer as below.

Why did an investigation take place on 03/06?

It was caused by when we found that the certificate listed in https://misissued.com, which we view irregularly.
After examining the contents, we aware this problem on 2019/03/06.
This 2019/03/06 has no logical necessity.

Please explain why this certificate was not revoked in the time required by BR section 4.9.1.1 and how SECOM will >prevent future revocation delays?

Because this certificate is used for the system cooperation with the important infrastructure of the system for our customer, so we suspect the impact on the many end-users for revocation of the certificate.
Considering these impact, the revocation was done after getting agreement with customer, which took some time.
From now on, we will try to make arrangement promptly even though we care about the contents of the incident and impact on the customer.
Besides, now we are in the middle of the investigation for that the similar incidents may happening with other certificates. The investigation will be completed by the end of May.

This response does not answer question #3.

CA on this has finished issuing certificates.

Why was this certificate not detected in November 2018? Has SECOM scanned the database of active certificates to >verify that no other certificates with the same or similar problems exist?

Because we haven’t done checking with all certificates at the time the bug of the checking system updated in November, 2018.
From now on, we will review the checking system regularly to improve the accuracy, and Self-Audit, which is done in quarterly, will be done for not sampling with the target, but targeting with all certificates.

Last of all, we’d like to inform you that most of Japan business entities including us will have special long National holiday from April 27th to May 6th because of the new emperor’s enthronement, which you may already knew from the news, and this happens only one time ever in our history.
For that reason, we really appreciate your understanding that we can start contacting with you after May 7th.

Best regards,
Hisashi Kamo

Kamo-san,

Besides, now we are in the middle of the investigation for that the similar incidents may happening with other certificates. The investigation will be completed by the end of May.

Please update this bug with the results of your investigation.

Whiteboard: [ca-compliance] → [ca-compliance] - Next Update - 01-June 2019

Wayne-san,

Please let us update the results of our investigation.

We found 7 certificates as below.

We started to make an arrangement with our customer for the prompt revocation.
Because these certificates are used for the system cooperation with the important infrastructure of the system for the customer, so we suspect the impact on the many end-users for revocation of these certificates.
We are now targeting to revoke all of these certificates by the end of June.
Upon making any progress, we will update it.

Thank you for your consideration.

Best regards,
Hisashi Kamo

CN=endpoint.europe.tel.com,O=Tokyo Electron,C=JP

-----BEGIN CERTIFICATE-----
MIIEtzCCA5+gAwIBAgIIHBPXbML1w0kwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UE
BhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJTAj
BgNVBAMTHFNFQ09NIFBhc3Nwb3J0IGZvciBXZWIgTUggQ0EwHhcNMTYwOTA3MDIy
NTA2WhcNMTkxMjA3MDIzNTA2WjBIMQswCQYDVQQGEwJKUDEXMBUGA1UEChMOVG9r
eW8gRWxlY3Ryb24xIDAeBgNVBAMTF2VuZHBvaW50LmV1cm9wZS50ZWwuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsB1X+pDJWmp0v4Jysc4eMJ6L
Ca0i8tbY+KxJ0oVGkx/Yobvy/8TANYkQZsaOLQuIB+qlzSjPVBFbIGu0fdAcYtcC
p5elDSDl59h5DkZtIx05u8OI0KgOxbbWeBg6UpzgxGddY03InIruPCIxkLqk9aCa
qMvVuZKltrI+HX5vHPjhRngkoVekWLvyTjynSQ1lcjiNaDL/l+mKFUHVxRDN6DfU
7ObML4ThD3LFV+yeF8pvi2LAKGHEl6gJhpT5K8T3gyQdYXR14a++XEJzIsqnTqqu
n5uLHHEYl0jUwwSQXK//d3q05YTDXkuRZPS4TbFlnQo+sshkyX6tgUzErW3yYQID
AQABo4IBkDCCAYwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAdBgNVHQ4EFgQUhJfF+gZ3rZQz9rruOX0bcLUkS4EwHwYDVR0j
BBgwFoAUIARRNh3L0S95ia2LybLe+uuVKk0wdwYDVR0RBHAwboIJKi50ZWwuY29t
gg4qLmFzaWEudGVsLmNvbYIMKi51cy50ZWwuY29tghAqLmV1cm9wZS50ZWwuY29t
ghdjYXNhcnJheS5ldXJvcGUudGVsLmNvbYIYVEVFSVNFT01FLmV1cm9wZS50ZWwu
Y29tMFYGA1UdIARPME0wSwYKKoMIjJsbZIJ9BzA9MDsGCCsGAQUFBwIBFi9odHRw
czovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3BwL3Bmdy9wZndtaGNhLzBKBgNV
HR8EQzBBMD+gPaA7hjlodHRwOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BjcHAv
cGZ3L3Bmd21oY2EvZnVsbGNybC5jcmwwDQYJKoZIhvcNAQELBQADggEBAKQhpeEA
ckb7xlXv8oH6M8PQf4Z/5fhtTNz8ikwa14ZF6h1QmYG7/m7g0nlx71jykrlwWc4K
l+Cj4sYrG1NcVw0lWhlALDRwpcufqmZxeDUlYdPI1aCxXXe2t8BGDxPT6TgGzmq3
BMSGv71eC9MyguKqLSelSutcxMSM2qJhmCtXP7WDFu8Xl3BKeZz/Ua8m9Qfzs53F
lELWPcY7WPaXOsL3kG7PcctYSQVkKfzNdf3LaZXJDZU4PGtHaWDhkd3s6vTAErsu
QHsGjmVDDpbkng3PxG/M33RcOY4op+g9xnqAFjqDJuNML21zmGbg53iMoD8Cvj1Q
KU0h1OJ76aOjz0E=
-----END CERTIFICATE-----

CN=telwebmail.tel.com,O=Tokyo Electron,C=JP

-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgIIavvxvMk5p/0wDQYJKoZIhvcNAQELBQAwWzELMAkGA1UE
BhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJTAj
BgNVBAMTHFNFQ09NIFBhc3Nwb3J0IGZvciBXZWIgTUggQ0EwHhcNMTYwODA1MDE0
MjQzWhcNMTkxMTA1MDE1MjQzWjBDMQswCQYDVQQGEwJKUDEXMBUGA1UEChMOVG9r
eW8gRWxlY3Ryb24xGzAZBgNVBAMTEnRlbHdlYm1haWwudGVsLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJVaS99IiJRrYyhjPxzEUG/JfC94K9g5
JHOSyIyF7n1y/mWSBPV/5jnwyv4hojzy9CLtN8YwrrBVyazo5SwvLV2UmDYnWOOd
trGxOR3gUSKtraNoxT+DfMj9zd+TIY/zJASOFVq0NdIINvV3ubvZoqqHh6gVQq/Z
ayItCLJQZ/d3fLDXkm1WUj5QY3X+W0KvpEr3TkF6cOygAvPQX4qBszc7/SBzPHS6
ynFmha2KafgabAdYjVnd2W6QuleJDKcH8yhaW4WaF+gBpGJ8OTd+1ngnEWL/Y3Zi
iwwGTO/GgCosGnxBvFAxhZ+mvLAa+uFtuFk1hmFJ2w+kvBfzJipniNMCAwEAAaOC
AgIwggH+MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwHQYDVR0OBBYEFNyPEY6Jd9AxaFi2uXjhu31txtfWMB8GA1UdIwQYMBaA
FCAEUTYdy9EveYmti8my3vrrlSpNMIHoBgNVHREEgeAwgd2CCSoudGVsLmNvbYIO
Ki5hc2lhLnRlbC5jb22CDCoudXMudGVsLmNvbYIQKi5ldXJvcGUudGVsLmNvbYIb
dGVsaXNleGNhczYzMDAuYXNpYS50ZWwuY29tghZleHdlYm1haWwuYXNpYS50ZWwu
Y29tghpURUxJU0VYSFk2MzAxLmFzaWEudGVsLmNvbYIZVEVMSVNFWEg2MzAxLmFz
aWEudGVsLmNvbYIZVEVMSVNFWEg2MzAyLmFzaWEudGVsLmNvbYIZVEVMSVNFWEg0
OTAxLmFzaWEudGVsLmNvbTBWBgNVHSAETzBNMEsGCiqDCIybG2SCfQcwPTA7Bggr
BgEFBQcCARYvaHR0cHM6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9wZncv
cGZ3bWhjYS8wSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3JlcG8xLnNlY29tdHJ1
c3QubmV0L3NwY3BwL3Bmdy9wZndtaGNhL2Z1bGxjcmwuY3JsMA0GCSqGSIb3DQEB
CwUAA4IBAQDGc4AbzM3X5WLo2RuokQtgkYJz3eWQuxPPoSOoP28lvQiHSjt1phce
pUEpmzqRloxvzqO4X/Ds+t/FBugJ85Pere/m10rQ1yzUu6ela15cHIRxGtiRX7rI
mW9i6YBgu811b9J+X28Z9v19yi9Pxoh5WIFI5YwPez8G6C/uV8K0OhEWGC8xY93h
HMSo1nF/euMaXT+9by6zIqFKkrQQBOog8YPjpFbbCx913UW4DZyhtb3JLCoGayGS
hxgEhBNL1wtg+50VDtKdijkZTF9MiEPXxSSLQCZvDcVtQ9rWh6sBIlh8Gdvadr1y
kHFLnPJYXe3N1jmDRO4iNYkH0RW5FzrB
-----END CERTIFICATE-----

CN=lyncweb.asia.tel.com,OU=Information Systems Dept, O=Tokyo Electron Limited,C=JP

-----BEGIN CERTIFICATE-----
MIIF/DCCBOSgAwIBAgIIBGbArq2//uMwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNV
BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMSow
KAYDVQQLEyFTRUNPTSBQYXNzcG9ydCBmb3IgTWVtYmVyIDIuMCBQVUIxKjAoBgNV
BAMTIVNFQ09NIFBhc3Nwb3J0IGZvciBNZW1iZXIgUFVCIENBMTAeFw0xNDA5MjUw
MDM2NTFaFw0xOTA5MjUwMDQ2NTBaMHAxCzAJBgNVBAYTAkpQMR8wHQYDVQQKExZU
b2t5byBFbGVjdHJvbiBMaW1pdGVkMSEwHwYDVQQLExhJbmZvcm1hdGlvbiBTeXN0
ZW1zIERlcHQxHTAbBgNVBAMTFGx5bmN3ZWIuYXNpYS50ZWwuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqpsW9KpcVOOGSwgpb+iAjXWZTi1AGLCD
sPiNjpXGbemkKDDAjSaOIhcmiRgpv+Wv6oPf20AWOC2eVPX9Zss8Nsz3w1VKjngp
gWNBrAEWDJwzCfAUl27GJUaCSQH9ZUh1MVtdMgT4zxVNKX9EA85ptTjLiwGHoEmW
5LO7jCVXOgb1kFK+G9qlOKXKXC7dKlGKneFcDQEnTdTHZT6ozpbJHTOe/Tp1Aurs
4nC+kpIhuWPoc0GmExTBNpYNO2bF+F/p+g0reSqNQV0YP9zgJC6gq8R3EqlKV5hG
I+2A0ft66W9UhYiWhoHUwAxpgNC8dp6XzIYXjRKZCtn6U784S6NU3wIDAQABo4IC
ezCCAncwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAdBgNVHQ4EFgQUN0Zy8/vb+i7dQvSrG+lR4DPKjE8wHwYDVR0jBBgwFoAU
RzM9yQ90eWcDpX/+dq5Hkl9AHuUwgZAGA1UdEQSBiDCBhYIVZGlhbGluLmV1cm9w
ZS50ZWwuY29tgg9tZWV0LnVzLnRlbC5jb22CFW1lZXQucGFydG5lcnMudGVsLmNv
bYIMbWVldC50ZWwuY29tghNtZWV0LmV1cm9wZS50ZWwuY29tggttZWV0LnRldC50
d4IUbHluY3dlYi5hc2lhLnRlbC5jb20wUwYDVR0gBEwwSjBIBgoqgwiMmxtkgn0G
MDowOAYIKwYBBQUHAgEWLGh0dHBzOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3Bj
cHAvcGZtMjBwdWIvMIIBHAYDVR0fBIIBEzCCAQ8wQKA+oDyGOmh0dHA6Ly9yZXBv
MS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9wZm0yMHB1Yi9jYTEvZnVsbENSTC5jcmww
gcqggceggcSGgcFsZGFwOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvQ049U0VDT00l
MjBQYXNzcG9ydCUyMGZvciUyME1lbWJlciUyMFBVQiUyMENBMSxPVT1TRUNPTSUy
MFBhc3Nwb3J0JTIwZm9yJTIwTWVtYmVyJTIwMi4wJTIwUFVCLE89U0VDT00lMjBU
cnVzdCUyMFN5c3RlbXMlMjBDTy4lNUMyQ0xURC4sQz1KUD9jZXJ0aWZpY2F0ZVJl
dm9jYXRpb25MaXN0MA0GCSqGSIb3DQEBBQUAA4IBAQBkUPl4LKGDAZIj5IDQYyEN
oGAkeIp653JT1gJtWE/1ZE/YJBtFmuy9KzegwpHhENgpGcnalyKlE143fE5gP2v+
29sg3F0jwcAjdEXhaqwV6J03uHDS+aZ+lz1HZXqdjlKbdunLsRaOsCtZ0q1Ha5Mz
Od9fAN+klDht0gN6j5+ltH2WHINaof5k0Yo3xGHSZvAFGp6UG/oqxVxRAO4w2E1v
j8sZvXhYhBctcIKTv5tZkloFhhkD+t+wKMooy1X923Sem2TfhSyKsZkdJ6q2VLA4
GevHkmM05HwGeshQfOHqnYmmMbBoN8Bi1Zp6x6jD7apafhERN49OZFoRdQGYfxTv
-----END CERTIFICATE-----

CN=exhyep.telgrp.com,O=Tokyo Electron,C=JP

-----BEGIN CERTIFICATE-----
MIIE5jCCA86gAwIBAgIIXWNcu6FlI64wDQYJKoZIhvcNAQELBQAwWzELMAkGA1UE
BhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJTAj
BgNVBAMTHFNFQ09NIFBhc3Nwb3J0IGZvciBXZWIgTUggQ0EwHhcNMTYwODE3MDIy
NTA0WhcNMTkxMTE3MDIzNTAzWjBCMQswCQYDVQQGEwJKUDEXMBUGA1UEChMOVG9r
eW8gRWxlY3Ryb24xGjAYBgNVBAMTEWV4aHllcC50ZWxncnAuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkAXB7kEY+T9s21f5JXQnkAReh5X36yw
N659yxp+U0LsaZAnA/3D3BKp942S+pFLim5Ao2JGd2Rq6ScSSfpn0hgalAROunTn
6SgN4t8KNffiiiS863K0D9J6wB6gCtaDkkmrBTrCFYQsz+91hVswDCwKl33rvznt
Pd1s5ZViIFY0ZjkxiiN5X+WgsPhNU//e5HQAhQh307JXGMG01mR8oBsHvvkZfVlB
AfeouXnrvF8uuXdtPR4GZUQP2i5axN2r8gpKPVEjUzBy6Ba0+zQhxY1D8Jg+JCc0
xakqArOI4roRfRWaOPlByVQ5wpO+EdAuphKFTs0WFOPXpxCbdujn9wIDAQABo4IB
xTCCAcEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAdBgNVHQ4EFgQU02ga4Nbbb8B2zsd8LNo3Z6yAlQcwHwYDVR0jBBgwFoAU
IARRNh3L0S95ia2LybLe+uuVKk0wgasGA1UdEQSBozCBoIIMKi50ZWxncnAuY29t
ghcqLmFzaWF0ZWxncnAudGVsZ3JwLmNvbYIVKi51c3RlbGdycC50ZWxncnAuY29t
ghkqLmV1cm9wZXRlbGdycC50ZWxncnAuY29tgiNURUxJU0VYSFk5OTAwLmFzaWF0
ZWxncnAudGVsZ3JwLmNvbYIgVEVMSVNFWDEzQS5hc2lhdGVsZ3JwLnRlbGdycC5j
b20wVgYDVR0gBE8wTTBLBgoqgwiMmxtkgn0HMD0wOwYIKwYBBQUHAgEWL2h0dHBz
Oi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BjcHAvcGZ3L3Bmd21oY2EvMEoGA1Ud
HwRDMEEwP6A9oDuGOWh0dHA6Ly9yZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9w
ZncvcGZ3bWhjYS9mdWxsY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAVg2zU+Ej
BhBHjSYokbtjLYNwX+QErivNRBc7TpXPGbFFocfvJMFImPO29PsW3uSYY/i60ffd
oeNULZancTIn7fKTpzXxq3taz6DN4CHdOL6louJiZRRNIztELXoSzKy2m7ySGZy4
ScKdaS+AqH0qq4HmmadN/OamF40WOI67REWyzh4ypYBeKBKBkoW93btBgnCiYhWo
Rx4IkAa8odBkpX2sLIiWJGsFf/2OiYJLRaj1jJLACejbwB/6LnYzFbdne52aKLAx
acunMGuHja5SMWr9OTV3wZK8O2lx561oOp/+ryR9N7NXJML4iXnuVz8n/x/dTR9k
gUpesdsZfzaLcg==
-----END CERTIFICATE-----

CN=lyncdiscover.telgrp.com,O=Tokyo Electron,C=JP

-----BEGIN CERTIFICATE-----
MIIE+zCCA+OgAwIBAgIIJzcvaNuu9ykwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UE
BhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJTAj
BgNVBAMTHFNFQ09NIFBhc3Nwb3J0IGZvciBXZWIgTUggQ0EwHhcNMTcwMzAxMDQ1
MzU3WhcNMjAwNjAxMDUwMzU3WjBIMQswCQYDVQQGEwJKUDEXMBUGA1UEChMOVG9r
eW8gRWxlY3Ryb24xIDAeBgNVBAMTF2x5bmNkaXNjb3Zlci50ZWxncnAuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAls52r3K+Xo9iNvJqnj9hRxFL
TtfofOOZuhlfNgmtStb70O0AtKHbUY8cJVhxEiB4Ika0rl6F0NxrsEWo1KnZXK/H
gvQ8cPWR8Dk2xOevzHft2TQw9/3VU2brVo0IfXg3f4pij/8avLr6b1xObDzoHbo7
b+Tkh4dYG76jtPiaKfnS71FSGaj/DpbcKlaQiSMz98MahpDY5OLWtasOcYzaCMHu
SXS4GRjXiJeiS/LZ7JO/kQkMtVfGRWM4j8e+SjoBrRVJkXq3uWxIGtab8ApgugN0
AwD7hfxan2YsMl01fdIYgX2DMSmwllw+Fcse/tgkJvmXUNnR/mgMYtVuI8hUUwID
AQABo4IB1DCCAdAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAdBgNVHQ4EFgQU+7krd9p3DCVTdZSTaet/QmKbkGEwHwYDVR0j
BBgwFoAUIARRNh3L0S95ia2LybLe+uuVKk0wgboGA1UdEQSBsjCBr4IhdGVsaXNs
eW5jMDEuYXNpYXRlbGdycC50ZWxncnAuY29tgiF0ZWxpc2x5bmMwMi5hc2lhdGVs
Z3JwLnRlbGdycC5jb22CIXRlbGlzbHluYzEzLmFzaWF0ZWxncnAudGVsZ3JwLmNv
bYIMKi50ZWxncnAuY29tgg5zaXAudGVsZ3JwLmNvbYITbHluY2h5ZWcudGVsZ3Jw
LmNvbYIRbHluY3JwLnRlbGdycC5jb20wVgYDVR0gBE8wTTBLBgoqgwiMmxtkgn0H
MD0wOwYIKwYBBQUHAgEWL2h0dHBzOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3Bj
cHAvcGZ3L3Bmd21oY2EvMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9yZXBvMS5z
ZWNvbXRydXN0Lm5ldC9zcGNwcC9wZncvcGZ3bWhjYS9mdWxsY3JsLmNybDANBgkq
hkiG9w0BAQsFAAOCAQEAEsYu/IL100x9ECVOI/Xj/aUoers5mPgR+HU+f9CrMWRq
XJOviCboew58NTzsKbGYO0S9JGCb0KTC+AKT+Yu04t5k/iZ4nO+HYVPzJxbzG/Ya
80TwJrms8ZeL+734hBnlyhVn7Jh0/4m7RD9px7YiJx1LsZiv/Xk/ROVWngAsQUwB
MsCGzDpKHY67h6pO5hl8CN55YCvAQvpQPDjEpBchDs0hIKNALBPWvNC0AB3QCH8l
GeepB7CfHZSmDzrJ1mPhqWpeNsb9Jd092+BvB/bFoA7mgfb9yBUkYJSBPRkRFm1c
UPANdgslRq8ln7KMmFoa+G8lVtgSHQFhDa+Rf9rCiA==
-----END CERTIFICATE-----

CN=lynchyeg.telgrp.com,O=Tokyo Electron,C=JP

-----BEGIN CERTIFICATE-----
MIIE5DCCA8ygAwIBAgIIPwd7scNS2hAwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UE
BhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJTAj
BgNVBAMTHFNFQ09NIFBhc3Nwb3J0IGZvciBXZWIgTUggQ0EwHhcNMTcwMTE3MDAx
NTU1WhcNMjAwNDE3MDAyNTU1WjBEMQswCQYDVQQGEwJKUDEXMBUGA1UEChMOVG9r
eW8gRWxlY3Ryb24xHDAaBgNVBAMTE2x5bmNoeWVnLnRlbGdycC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjEOfWNfBNB/SC5zy3pUq2ukNKPppK
joI0+AEPZI8eR53MaxfpQvAMh7upZ9ijijHgZjTmkKf4gTUbhEtjifWsNeSvfr9Z
R4+++oJSef5Uf4882SIXdLGD7Y/S1+uMsM6gYXV+/8c5LNNj7A69e/s/Bd8r7Nnw
Z6xefASGGHvEXAqOONL0UlMBj0BCjxlbK3mrci1bDDaPVyDBRji/fFR5kaVOu+iI
++M3zstUVcZifNNwflepNLdApyFck2Zw+GZmz24y4DB5FHNre997I+z9aPWq4yxS
1gqUiIytvWY9/0lQ+jdCKAD6Q/gUgPwDFTUcAp7Ie3NPniGOYvwPGLsJAgMBAAGj
ggHBMIIBvTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMB0GA1UdDgQWBBQbRc/4HKG1pDaIu667ws3dA7WatTAfBgNVHSMEGDAW
gBQgBFE2HcvRL3mJrYvJst7665UqTTCBpwYDVR0RBIGfMIGcgg5zaXAudGVsZ3Jw
LmNvbYIMKi50ZWxncnAuY29tgiF0ZWxpc2x5bmMwMS5hc2lhdGVsZ3JwLnRlbGdy
cC5jb22CIXRlbGlzbHluYzAyLmFzaWF0ZWxncnAudGVsZ3JwLmNvbYIhdGVsaXNs
eW5jMTMuYXNpYXRlbGdycC50ZWxncnAuY29tghNseW5jaHllZy50ZWxncnAuY29t
MFYGA1UdIARPME0wSwYKKoMIjJsbZIJ9BzA9MDsGCCsGAQUFBwIBFi9odHRwczov
L3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3BwL3Bmdy9wZndtaGNhLzBKBgNVHR8E
QzBBMD+gPaA7hjlodHRwOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BjcHAvcGZ3
L3Bmd21oY2EvZnVsbGNybC5jcmwwDQYJKoZIhvcNAQELBQADggEBAHnBo1gRverY
VBqqjiLP4huQQA4CNbpEopiMzaDKVHoA3Az1+NpqQRjvMbclFrEdu3h/lD5/vK2/
KPWqJJW9MkTklS/1DmCmgTFLWFZhmXtjpnNVzXh9cErpBa7C5SAlHOJflEK2ocTQ
vz7HuAwi2D4JghUeCJu2lTp8UwQPJjEjF3idVC6iDdwkhPY5yFqIL+ncqkhl5Hfy
W5JWDWG6W9j8wuUwaARdiQhMMtpfGYOjy/ZFEmQ9co31Jr0GJqlv8GLW/5erOkPR
8+ijS0BRMloBE2cpANoPEfVpq8RzyT9FLM04RVqvD3sNqbOxVSTwCkJ3fAP3gQtz
SrpJQCtWzDc=
-----END CERTIFICATE-----

CN=lyncrp.telgrp.com,O=Tokyo Electron,C=JP

-----BEGIN CERTIFICATE-----
MIIE4jCCA8qgAwIBAgIIF2KFmTSADm8wDQYJKoZIhvcNAQELBQAwWzELMAkGA1UE
BhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJTAj
BgNVBAMTHFNFQ09NIFBhc3Nwb3J0IGZvciBXZWIgTUggQ0EwHhcNMTcwMjAxMDIy
OTU2WhcNMjAwNTAxMDIzOTU1WjBCMQswCQYDVQQGEwJKUDEXMBUGA1UEChMOVG9r
eW8gRWxlY3Ryb24xGjAYBgNVBAMTEWx5bmNycC50ZWxncnAuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoxDn1jXwTQf0guc8t6VKtrpDSj6aSo6C
NPgBD2SPHkedzGsX6ULwDIe7qWfYo4ox4GY05pCn+IE1G4RLY4n1rDXkr36/WUeP
vvqCUnn+VH+PPNkiF3Sxg+2P0tfrjLDOoGF1fv/HOSzTY+wOvXv7PwXfK+zZ8Ges
XnwEhhh7xFwKjjjS9FJTAY9AQo8ZWyt5q3ItWww2j1cgwUY4v3xUeZGlTrvoiPvj
N87LVFXGYnzTcH5XqTS3QKchXJNmcPhmZs9uMuAweRRza3vfeyPs/Wj1quMsUtYK
lIiMrb1mPf9JUPo3QigA+kP4FID8AxU1HAKeyHtzT54hjmL8Dxi7CQIDAQABo4IB
wTCCAb0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAdBgNVHQ4EFgQUG0XP+ByhtaQ2iLuuu8LN3QO1mrUwHwYDVR0jBBgwFoAU
IARRNh3L0S95ia2LybLe+uuVKk0wgacGA1UdEQSBnzCBnIIOc2lwLnRlbGdycC5j
b22CDCoudGVsZ3JwLmNvbYIhdGVsaXNseW5jMDEuYXNpYXRlbGdycC50ZWxncnAu
Y29tgiF0ZWxpc2x5bmMwMi5hc2lhdGVsZ3JwLnRlbGdycC5jb22CIXRlbGlzbHlu
YzEzLmFzaWF0ZWxncnAudGVsZ3JwLmNvbYITbHluY2h5ZWcudGVsZ3JwLmNvbTBW
BgNVHSAETzBNMEsGCiqDCIybG2SCfQcwPTA7BggrBgEFBQcCARYvaHR0cHM6Ly9y
ZXBvMS5zZWNvbXRydXN0Lm5ldC9zcGNwcC9wZncvcGZ3bWhjYS8wSgYDVR0fBEMw
QTA/oD2gO4Y5aHR0cDovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3BwL3Bmdy9w
ZndtaGNhL2Z1bGxjcmwuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAf/wyN07lzf9+k
Yq6QX8Hmlk4hsgfRt9qZqKqKFEwngXW/3gjL3UTNU8RzWaxtHJeDlLiHhNi9b1De
jzI5lSYumDxFbWgT2XN+eWdqaVg9CFyRu7ywnlUikIT4oYTCAeFnOzFPiAcLqKR/
6Lw0V1L3aUmLWIh7wUhJH9NxDrYeb1jrC+4HMx9XPn6PcnUIPmubmPMDsaSvxq9z
CuiS0mkGqOpp598A+cHO8XR6Rz2nlCzlESTq/aZtjC/7/KU1ThiFKoZl9DU/i78E
dAa+1xEECKudu05gld0svzfa6eqQ3DOsURGI0RK0lx2QLw8kdZxe8iCAUPDFx8my
jtJ/ujOo
-----END CERTIFICATE-----

Because these certificates are used for the system cooperation with the important infrastructure of the system for the customer, so we suspect the impact on the many end-users for revocation of these certificates.

We are now targeting to revoke all of these certificates by the end of June.

This is not an acceptable timeline based on the information provided. While CAs are ultimately responsible for the decision about whether or not to revoke, if SECOM should make a decision to not revoke until the end of June, it will be substantially and significantly worse for them with respect to ongoing public trust.

In the past year, the level of detail and expectation regarding a CAs' decision to intentionally and knowingly violate the BRs, by not revoking, has increased. A level of "we suspect the impact" is simply not an acceptable level of detail going forward. Please review the discussions with DigiCert around underscores to know what the minimum is.

Comment #1 asked SECOM about the steps taken to prevent further delays. This was to highlight the importance of prompt revocation. The steps taken in Comment #3 were clearly ineffective. While I realize SECOM acknowledge the possibility of other incidents in that message, I cannot stress enough the importance of ensuring complete and total transparency and prompt revocation.

Please carefully review Bug 1517617, Bug 1519572, Bug 1516599, Bug 1526154, Bug 1516561, Bug 1516453, Bug 1515788. Please carefully review https://wiki.mozilla.org/CA/Responding_To_An_Incident#Revocation and specifically "When revocation is delayed at the request of specific Subscribers, the rationale must be provided on a per-Subscriber basis." and "Any decision to not comply with the timeline specified in the Baseline Requirements must also be accompanied by a clear timeline describing if and when the problematic certificates will be revoked or expire naturally, and supported by the rationale to delay revocation.". Please carefully review the m.d.s.p. discussion then, and over the past six months, to understand the expectation.

We cannot force you to revoke - that is a decision the CA takes. However, if a CA makes a decision to delay revocation, it unquestionably owes the community a response that is as or more detailed than any previous response, that makes it clear why such a decision was made, the factors contributing, and the steps the CA is taking to meaningfully not have this happen again. As it stands, this response does not rise to that level at all, which is why it runs the risk of being significantly negative for SECOM if SECOM should delay revocation any further. It has been two months. further delays are unconscionable and irresponsible.

Flags: needinfo?(h-kamo)

Ryan-san,

Thank you for your comments.
We apologize for delay.

We are taking care of this incident very seriously.
3 certificates out of 7 have been revoked, and continuously doing our best effort to revoke the remaining 4 certificates early next week.
Please let us report details next week.

Thank you for your consideration.

Best regards,
Hisashi Kamo

Flags: needinfo?(h-kamo)

Ryan-san,

Please let us update that the remaining 4 certificates have been revoked.
There was a certificate that could take a long time to revoke, but as a result of serious discussions with the customer continuously and then all the 7 certificates we reported have been revoked today.

Best regards,
Hisashi Kamo

Wayne: Any follow-ups? I think a normal follow-up question is how delays in revocation will be prevented in the future, but I'm deferring to you.

Flags: needinfo?(wthayer)
Whiteboard: [ca-compliance] - Next Update - 01-June 2019 → [ca-compliance]

(In reply to Ryan Sleevi from comment #9)

Wayne: Any follow-ups? I think a normal follow-up question is how delays in revocation will be prevented in the future, but I'm deferring to you.

Yes. My understanding is that 4 certificates were not revoked within the time required by the BRs.

Kamo-san: please explain what SECOM is doing to ensure that BR revocation requirements are met in the future?

Flags: needinfo?(wthayer) → needinfo?(h-kamo)

Wayne-san,

Please let us comment as below.

Regarding with our current rules and procedures for revocation, we have been abided by what is described in the validation manual, which is in compliance with BR.
When we confirm a certificate which may be conflict, or potential conflict with BR, we will promptly report it to Bugzilla, and also implement the following measures so that the revocation will be completed by the revocation date in compliance with the revocation reason of Article BR 4.9.1.

  • Review and recosideration of the revocation flow according to the revocation reason of Article BR 4.9.1
  • Implementing prompt notification and explanation to the customers concerned
    (Necessity of revocation, the impact on compliance if the revocation is delayed)
  • Updating the manual to ensure that the revocation process is done without any delay

Thank you for your consideration.

Best regards,
Hisashi Kamo

Flags: needinfo?(h-kamo)

Kamo-san:

Has the validation manual been updated with these changes?

It is not clear to me how these changes would have prevented the delays in revocation as you have described in this incident. Can you explain?

Flags: needinfo?(h-kamo)

Wayne-san,

Please let us answer as below.

We are planning to implement the update of the manual from now on.

The major reason for the delay of revocation is that we took more time for coordinating with the customers than we initially expected.

Making use of this experience, we will review the customer coordination work flow thoroughly and try to optimize operations in better way. In addition to that, we will create a format as explanatory materials for customers, so that we will set up the system in which we can explain any situation to customers promptly.
By optimizing customer coordination as stated above, we will make our best effort to respond faster than ever before.

Thank you for your consideration.

Best regards,
Hisashi Kamo

Flags: needinfo?(h-kamo)

(In reply to Hisashi Kamo from comment #13)

Wayne-san,

Please let us answer as below.

We are planning to implement the update of the manual from now on.

This response is not clear to me. Comment #11 described a change that was to be made to the validation manual. Has this change been completed? If not, please update this bug when the change has been completed.

Flags: needinfo?(h-kamo)

Wayne-san,

Please let us inform you that the manual has been updated today.
Thank you for your consideration.

Best regards,
Hisashi Kamo

Flags: needinfo?(h-kamo)

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.