In September of this year, the CA Symantec revealed[0] that they had
mis-issued a number of certificates for domains that they did not own or
control, for testing purposes. After an “exhaustive review”, they issued
a Final Report[1] which documented 23 such certificates.
Yesterday, Symantec updated their final report[2] to indicate that the
problem was more extensive than they had at first believed. They said,
in part:
“While our current investigation is ongoing, so far we have found 164
additional instances where test certificates were inappropriately
issued. All of these test certificates have been revoked. These test
certificates were spread over 76 domain owners whom we are in the
process of contacting.”
In addition, they have identified 3073 test certificates which were
issued for domains which were (at the time) unregistered, since the
practice was banned (which happened at different times for EV certs and
other certs). They have provided two lists[3][4], one of the 164 certs
and another of the 3073.
They are continuing to search, and will update the Final Report again
when their investigations are complete.
The 164 certificates will be added to Mozilla’s OneCRL system[5]. (We do
not think the risk from the 3073 is significant enough to warrant this
step.)
This message has been posted to begin a discussion in the Mozilla
community as to what additional action, if any, Mozilla should take in
response to these events.
Kathleen, Gerv and Richard
[0]http://www.symantec.com/connect/blogs/tough-day-leaders
[1]https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report.pdf
[2]https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_12_2015.pdf
[3]https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf
[4]https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportUnregistered.pdf
[5]https://bugzilla.mozilla.org/show_bug.cgi?id=1214321
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
