- How your CA first became aware of the problem.
Microsoft PKI Services has had an issue brought to our attention regarding our failure to update our “Microsoft PKI Services Certification Practices Statement v3.1.7”.
In Section 220.127.116.11 in regard to Domain Validation, we have not clearly delineated that some of the methods we use have been deprecated. We became aware of this issue on February 10, 2021 during discussions and review related to another Bugzilla task that we are working on 1670337 - Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD (mozilla.org).
- A timeline of the actions your CA took in response.
A. 2021-Feb-10 – Andrew Ayer suggested that we open a separate Bugzilla task regarding updating our CPS.
B. 2021-Feb-10 - On the same day, we confirmed that Microsoft PKI Services does not use either deprecated method (18.104.22.168.3 or 22.214.171.124.6).
C. 2021-Feb-15 - We finalized a new version of the CPS that is currently in the process of review and approval with our Policy Authority.
D. 2021-Feb-19 – We re-confirmed from the Domain Validation Cache that we did not use these methods after their deprecation dates.
- Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident.
We never stopped certificate issuance related to the issue, because we were able to verify that our underlying validation processes followed the BR’s at all times.
- In a case involving certificates, a summary of the problematic certificates.
We have not discovered any problematic certificates related to this incident. This bug is only related to the structure of the documentation.
- In a case involving certificates, the complete certificate data for the problematic certificates.
Not applicable at this point.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Section 126.96.36.199 of our CPS expresses the Domain Validation methods that we have used to validate domains. Our objective was to list all the methods that we have used to validate domains, for all certificates that we have issued and are still currently valid. We have had a discussion with our auditors that we need to include all methods that we have used in our CPS for currently valid certificates. Therefore, we had methods listed which have been deprecated.
After discussion with this community, it was pointed out that other CAs differentiate between methods that are currently used and methods that have been used. And we agree that this is a better approach and more clearly communicates when such methods were used and when, if appropriate, they were deprecated.
- List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
Further mitigation steps that are planned: