QuoVadis: hostnames not in preferred name syntax
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: stephen.davidson, Assigned: stephen.davidson)
Details
(Whiteboard: [ca-compliance] [ev-misissuance])
Attachments
(1 file)
481 bytes,
text/plain
|
Details |
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
HydrantID and QuoVadis identified the certificate via https://crt.sh/?lint=1+week.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
Oct 25 – certificate issued
Oct 26 – certificate error identified and certificate revoked
Oct 27 – root cause investigation; confirmation no other affected certs exist
Oct 28 – confirmation of DigiCert status; work for patch on QuoVadis systems, ZLint contribution
Nov 15 – latest implementation of patch on QuoVadis systems
- Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.
QuoVadis confirms that no other valid certificates exist with the issue.
A patch has been created for QuoVadis legacy systems to ensure that trailing and leading hyphens are caught at all levels of domains. It will be implemented to production systems before November 15.
We have confirmed that DigiCert CertCentral already catches this issue, and no such certificates exist under the DigiCert roots. Nevertheless, an enhancement will be created to implement a secondary catch at the CA level.
- In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g., OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.
The QuoVadis-operated CA for HydrantID issued a certificate with a trailing hyphen in a domain label of FQDNs included in the SAN extension.
This is the sole current certificate with the issue. In the past, QuoVadis issued 6 other certificates with trailing or leading hyphens in a domain label (the majority of which were issued in 2015); all were revoked previously.
- In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.
https://crt.sh/?id=5480456410&opt=cablint,x509lint,zlint
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
QuoVadis issuance systems use filters and linting that include (and expand upon) ZLint, which does not catch this issue. The issue was found post-issuance using certlint, which QuoVadis does not use in our live linting.
- List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
QuoVadis will review the filters for hostnames in preferred name syntax used in QuoVadis legacy systems against those in CertCentral to ensure parity.
DigiCert intends to submit a lint for this issue to ZLint.
We are aware of the related bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1706860.
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Assignee | ||
Comment 1•3 years ago
|
||
SHA-256 fingerprints for revoked certs with hostnames not in preferred name syntax
Comment 2•3 years ago
|
||
A zlint PR has been opened to include a lint that checks that all Domain Labels are LDH-Labels: https://github.com/zmap/zlint/pull/646. This lint will detect the issue reported in this bug and in related bugs regarding syntactic correctness of Domain Labels.
Assignee | ||
Comment 3•3 years ago
|
||
QuoVadis confirms that the patch on QuoVadis systems will be deployed by EOD on November 15. When complete, QuoVadis will request closure of this bug.
Assignee | ||
Comment 4•2 years ago
|
||
QuoVadis confirms that the updates described above were completed, and requests that this disclosure be marked closed.
Comment 5•2 years ago
|
||
I'll close this on Friday, 19-Nov-2021, unless there are additional questions or concerns to address.
Updated•2 years ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Description
•