Closed Bug 1685767 Opened 4 years ago Closed 4 years ago

Izenpe: Multiple sub CAs with incorrectly encoded SubjectPublicKeyInfo algorithm

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1667846

People

(Reporter: rolandshoemaker, Assigned: o-garcia)

Details

(Whiteboard: [ca-compliance] [ca-misissuance])

A number of Izenpe issued sub CAs under the "Izenpe.com" root (https://crt.sh/?id=1616324) contain an incorrectly encoded algorithm in their SubjectPublicKeyInfo structure. As the algorithm is sha256WithRSAEncryption the parameters field must contain ASN.1 NULL, per RFC 4055 (and explicitly called out in the current Mozilla policy, although this obviously would not have applied when these certificates were originally issued), but are instead omitted.

Whiteboard: [ca-compliance]
Assignee: bwilson → o-garcia
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

We are analyzing this issue with those sub CAs created in 2010 (and any other CA currently alive) with our PKI software provider. We'll publish all details as soon as possible.
Thanks

Hi, this bug is related to https://bugzilla.mozilla.org/show_bug.cgi?id=1667846. All those subCAs were issued in October 2010, before the BR 1.0 (effective Date of 1 July 2012):

• "CA Teknikoa - CA Tecnica" - https://crt.sh/?id=21654899
• "EAEko HAetako langileen CA - CA personal de AAPP vascas (2)" - https://crt.sh/?id=8947125
• "EAEko Herri Administrazioen CA - CA AAPP Vascas (2)" - https://crt.sh/?id=1477430
• "CA de Certificados SSL EV" - https://crt.sh/?id=267017 (EXPIRED)
• "Herritar eta Erakundeen CA - CA de Ciudadanos y Entidades (3)" - https://crt.sh/?id=9035575
• "Herritar eta Erakundeen CA - CA de Ciudadanos y Entidades (4)" - https://crt.sh/?id=9035574
• "Eusko Jaurlaritzako langileen CA - CA personal Gobierno Vasco" - https://crt.sh/?id=7462989 (EXPIRED)

SubCAs issued after the BRs 1.0 have the correct signature parameters:

“CA de Certificados SSL EV” https://crt.sh/?id=584926449

As we told to Kathleen in the related bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1667846#c5), we’ve had it in mind since then. We have two projects in our roadmap:

  1. We’ve created a new CAs tree for all CAs not issuing SSL certificates (natural and legal person, app, code signing, etc.). In consequence, in the medium term, we’ll have only the following two subCAs notified to root program:

    a) “CA de Certificados SSL EV”: for SSL EV/qualified certificates
    b) “EAEko Herri Administrazioen CA - CA AAPP Vascas (2)”: for OV and DV certificates

This new tree is already notified to the Spanish Ministry, and we’re waiting for their validation to start issuing from the new subCAs.

  1. We plan to renovate the subCA “EAEko Herri Administrazioen CA - CA AAPP Vascas (2)” by the end of this year, to include the NULL parameter

As an additional control we’ve included in our procedure the requirement to check any new subCA with zlint.

Thanks

I intend to close this as a duplicate of Bug #1667846.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(bwilson)
Resolution: --- → DUPLICATE
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ca-misissuance]
You need to log in before you can comment on or make changes to this bug.