Hi Jonathan, 

Please find below the description of the technical and organizational controls 

1) The currently process of certificates issuance is composed by 4 steps:
step 1: Registration process: 
This step consists of the verification of the following items:
•the subscriber identify   
•the accuracy of the certificate requests (RA is using currently this URL to 
check the CSR 
•the possession of the domain names (who is, organization, validation 
After that, the RA operator insert all the required data in the RA interface, 
theses controls are implemented:
•control of the syntax of the server name
•control of the email of the server administrator
•control of the identifier of the administrator
•check of the CSR

step2: Validation process:
In this step, another registration operator (different of the first one), check 
all the inserted data. This check consists of  the verification of inserted 
data against paper data. 
step3: Issuance of the certificate:
In this step, the only control consists of the check of the data in the CSR 
against the inserted data.  In the event of any error, the request is rejected.
step4: Check of the issued certificate:
In this step, another registration operator check the issued certificate before 
its delivery.

2) The deficiencies identified in those controls after the misissuance of each 
of these certificates are essentially:
•controls on the field subject alternative names :
    o this field must not contains private addresses
    o this filed must not contain address
    o this filed must not contain a  local FQDN
    o this field must at least contain the CN

3) The implemented and planned improvements to the technical controls to 
prevent these errors from happening again:
The NDCA is implementing a new system (Managed PKI solution) which includes 
such controls in different fields (CN, mail of administrator, check of CSR, 
check of subject alternative names, ...).

dev-security-policy mailing list

Reply via email to