Telekom Security: Delayed Revocations of Sub-CA certificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: Arnold.Essing, Assigned: Arnold.Essing)
Details
(Whiteboard: [ca-compliance] [ca-revocation-delay])
Attachments
(2 files)
Telekom Security requires more than seven days to revoke the certificates affected by https://bugzilla.mozilla.org/show_bug.cgi?id=1649941 (“T-Systems: Incorrect OCSP Delegated Responder Certificate”). The decision to not revoke the affected certificate within seven days is based on the disruptive impact this would have on our subscribers. There are currently more than 230.000 S/MIME and smartcard authentication certificates affected by this problem, which will require up to five months to be reissued under a new Issuing CA.
We will provide an update to this Bugzilla within the following week.
Updated•4 years ago
|
Comment 1•4 years ago
|
||
Arnold Essing is currently not available so other team members will be providing updates to this Bugzilla on his behalf and until his return.
This week, further information regarding the delayed revocation was mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1649941
You will hear from us at the latest next Friday.
Updated•4 years ago
|
Comment 2•4 years ago
|
||
The migration was started this week as planned for all of the affected CAs. Updates will be provided at least once a week.
Assignee | ||
Comment 3•4 years ago
|
||
On July 14, 2020 the new CA "Deutsche Telekom secure email CA E03" was put into operation. On July 20, 2020 the active user migration was started. Until today, new certificates have been issued on the new SubCA for approx. 11,000 users.
Approximately 110,000 users are affected (each user gets two certificates).
Our user migration plan:
until 2020-08-01: 10%.
until 2020-09-01: 35%
until 2020-10-01: 60%
until 2020-11-01: 85%
until 2020-11-15: 100%
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
All 2.130 EE certificates (all SMIME) from "TeleSec PKS CA 8" were revoked on August 19, 2020. "TeleSec PKS CA 8" itself was revoked on August 20, 2020 and the key material was destroyed in the presence of the external auditor on August 25, 2020.
For the other 4 affected CAs the user migration is ongoing and on target. Until today, new certificates have been issued on the new SubCA for approx. 40.000 users. That are 36 % of the affected 110.000 users.
Updated•4 years ago
|
Assignee | ||
Comment 5•4 years ago
|
||
For the remaining 4 affected CAs the user migration is ongoing and on target. Until today, new certificates have been issued on the new SubCA for approx. 69.000 users. These are 62 % of the affected 110.000 users.
Comment 6•4 years ago
|
||
When will you be providing key destruction reports for the CAs in Comment #4?
Is the timeline on track for comment #3?
Assignee | ||
Comment 7•4 years ago
|
||
We will provide the key destruction report for "TeleSec PKS CA 8" as soon as we receive it from our auditor, which should be within this week.
Regarding the user migration of the 110.000 affected users, we are still on target. We plan to provide the next update by the end of this month.
Assignee | ||
Comment 8•4 years ago
|
||
We received the key destruction report for "TeleSec PKS CA 8" from our Auditor and attached it here.
It should also be available under the following link very soon.
https://www.tuvit.de/en/services/certification/audit-attestations-according-to-cabrowser-forum-requirements/
Assignee | ||
Comment 9•4 years ago
|
||
For the remaining 4 affected CAs the user migration is ongoing and on target. Until today, new certificates have been issued on the new SubCA for approx. 101.00 users. These are 92 % of the affected 110.000 users.
The key destruction in the presence of the external auditor for the remaining 4 affected CAs is planned for mid November 2020.
Assignee | ||
Comment 10•4 years ago
|
||
All EE certificates from the remaining 4 affected CAs were revoked on November 10th, 2020.
The remaining 4 affected CAs were:
Deutsche Telekom AG Issuing CA 01 https://crt.sh/?id=40463077
Deutsche Telekom AG secure email CA E02 https://crt.sh/?id=2517734973
Deutsche Telekom AG secure email CA SN: 75 81 aa 9f 98 30 a3 ab bf 5b b6 9f 84 d8 56 (name constrained)
Deutsche Telekom AG secure email CA SN: 15 31 b1 a1 34 7c 85 a9 7a 37 f6 0e bb 50 fd 86 (name constrained)
These CAs were revoked on November 12th, 2020 and the key material was destroyed in the presence of the external auditor also on November 12th, 2020.
We will provide the key destruction report as soon as we receive it from our auditor.
Updated•4 years ago
|
Assignee | ||
Comment 11•4 years ago
|
||
We received the key destruction report for the remaining 4 affected CAs from our Auditor and attached it here.
It should also be available under the following link very soon https://www.tuvit.de/en/services/certification/audit-attestations-according-to-cabrowser-forum-requirements/
Comment 12•3 years ago
|
||
I believe that this matter can be closed and intend to do so next week (Dec. 7-11) unless there are additional issues.
Updated•3 years ago
|
Updated•2 years ago
|
Updated•1 year ago
|
Description
•