Hi Jonathan, Please find below the description of the technical and organizational controls required:
1) The currently process of certificates issuance is composed by 4 steps: step 1: Registration process: This step consists of the verification of the following items: •the subscriber identify •the accuracy of the certificate requests (RA is using currently this URL to check the CSR https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp) •the possession of the domain names (who is, organization, validation phone,...) •.... After that, the RA operator insert all the required data in the RA interface, theses controls are implemented: •control of the syntax of the server name •control of the email of the server administrator •control of the identifier of the administrator •check of the CSR step2: Validation process: In this step, another registration operator (different of the first one), check all the inserted data. This check consists of the verification of inserted data against paper data. step3: Issuance of the certificate: In this step, the only control consists of the check of the data in the CSR against the inserted data. In the event of any error, the request is rejected. step4: Check of the issued certificate: In this step, another registration operator check the issued certificate before its delivery. 2) The deficiencies identified in those controls after the misissuance of each of these certificates are essentially: •controls on the field subject alternative names : o this field must not contains private addresses o this filed must not contain 127.0.0.1 address o this filed must not contain a local FQDN o this field must at least contain the CN 3) The implemented and planned improvements to the technical controls to prevent these errors from happening again: The NDCA is implementing a new system (Managed PKI solution) which includes such controls in different fields (CN, mail of administrator, check of CSR, check of subject alternative names, ...). Thanks Olfa _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
