User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 Edg/88.0.705.56
Steps to reproduce:
This is a preliminary incident report.
1.) How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We were informed by a third party about D-TRUST’s Incident Report Mechanism that D-TRUST has issued a certificate whose RSA key does not comply with the Mozilla Root Store Policy as well as the Baseline Requirements of the CA/Browser Forum.
2.) A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
2021-02-05, 00:41 (CET): initial report
2021-02-05, 07:00 (CET): Start of investigation
2021-02-05, 10:30 (CET): Preliminary internal feedback with investigation result
2021-02-05, 11:00 (CET): Information to the subscriber about the incident
2021-02-05, 11:22 (CET): Information to the submitter on further procedure
3.) Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
D-TRUST already has measures in place to prevent the issuance of certificates for RSA keys that are not divisible by 8.
4.) A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
Number of affected certificates: 1
Issuing date of first certificate: 2019-02-14
Issuing date of last certificate: 2019-02-14
5.) The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
All affected certificates can be found here:
6.) Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Investigation is still ongoing. Result will be published with the final incident report.
7.) List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
We already contacted the certificate holder and we will have the certificate revoked at short notice.
Further action, if required, will be published with the final incident report.
We plan to publish a final incident report by 2021-02-10.