> On Jul 29, 2017, at 09:08, kaddachi olfa via dev-security-policy 
> <dev-security-policy@lists.mozilla.org> wrote:
> ==> The CA proceeded to notify the end entity of the certificate 
> https://crt.sh/?id=21813439. The certificate is revoked on 28/07/2017. No new 
> certificate is issued by TunServerCA2.to this end entity.
> ==> Yes the CA has revoked the certificate https://crt.sh/?id=99182607 on 
> 2017-03-03 and issue a new one for the end entity 
> https://crt.sh/?id=99462700. The new certificate contains both names in SAN 
> (DNS=vpn.tunisieclearing.com and Nom DNS=vpn.tunisieclearing.tn). The CA, at 
> the time of issuance, has  verified that the Applicant had the right to use 
> and had the control of the both Domain Names.
> ==> The CA has revoked the certificate https://crt.sh/?id=15126121 on 
> 2016-03-21 when the CA discover the mistake in the SAN extension. A new 
> certificate is issued on the same day (2016-03-21) with the right SAN 
> (*.sonede.com.tn). See the certificate below:
> ==>Yes https://crt.sh/?id=10975511 is an expired certificate which contain an 
> IPAddress SAN of The new certificate for the end entity 
> (mail.tunisiaexport.tn) has been issued by the CA on 14-12-2016. See 
> certificate below:
> ==> The CA proceeded to notify the end entity of the certificate 
> https://crt.sh/?id=79470561&opt=cablint. The certificate is revoked on 
> 28/07/2017 and replaced by a new certificate which does not contain  in SAN 
> extension the internal name "adv-mail.calladvance.local". See ertificate 
> below:
> Olfa Kaddachi

These incidents appear to demonstrate a lack of sufficient technical controls 
to prevent certificates from being issued with unvalidated and invalid data. 
Would you please describe:

1) the technical controls currently implemented in the issuance process;
2) the deficiencies identified in those controls after the misissuance of each 
of these certificates;
3) the implemented and planned improvements to the technical controls to 
prevent these errors from happening again.


dev-security-policy mailing list

Reply via email to