Please let us provide you our incident report as below.
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We became aware of the certificates with problem via the mail notification by mozilla.dev-security-policy ML, and Bugzilla on 2019/05/07.
(We couldn’t check the mail from Apr. 27 to May 6 because of Japanese National holidays, so that we realized the incident this late. Very sorry about that.)
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
2019/05/02 The 24 valid certificates with problem had been reported by misissued.com, but we couldn’t realize them because of the Japanese Holidays from Apr. 27 to May 6.
2019/05/07 We realized the incident via the mail notification by mozilla.dev-security-policy ML, and Bugzilla.
2019/05/07 We notified the incident to the customer, and started to make revocation.
2019/05/09 We did the research on the all CAs, and confirmed that other certificate were not affected except the 24 certificate which were reported this time.
2019/05/10 We revoked 20 certificates out of 24, which left 4 to be done.
We are planning to revoke 3 certificates out of 4 by May 12, and the final 1 will be revoked by May 17.
The one certificate that will be revoked by May 17, is to be used by the customer for the purpose of linking system with the important infrastructure of their system. Because of that reason, we concern that the revocation of the certificate makes some impact on the many end-users.
Continuously, we’ll consider the contents of the incident and these impacts thoroughly, and make our prompt and best effort to ease the situation.
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
We made certain that RAs should strengthen the checking application. We try hard to work on when issuing the new certificates to prevent any problem. Also from now on, we’ll change the program into the system which reject the certificate application that makes L="Default City", which prevents the recurrence. That system will be completed by the end of June.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
24 certificates listed on the above site are subjects to the problem.
2018/08/21 The first problematic certificate was issued.
And 2019/04/18 the last problematic certificate was issued.
We did research on the all Certification Authorities (CAs), and found no certificates which makes L="Default City" except 24 mentioned above.
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
Above page listed, 24 certificates below are subject to the problem:
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Our system was not capable of rejecting the certificate application which makes L="Default City".
The RAs needed to check it, but couldn’t reject the application which makes L="Default City" as an error.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
From now on, we’ll change the program into the system which reject the certificate application that makes L="Default City", which prevents the recurrence. That system will be completed by the end of June.
Thank you for your consideration.