Hi Jonathan, 

Please find below the description of the technical and organizational controls 
required:

1) The currently process of certificates issuance is composed by 4 steps:
step 1: Registration process: 
This step consists of the verification of the following items:
•the subscriber identify   
•the accuracy of the certificate requests (RA is using currently this URL to 
check the CSR 
https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp)
•the possession of the domain names (who is, organization, validation 
phone,...) 
•....
After that, the RA operator insert all the required data in the RA interface, 
theses controls are implemented:
•control of the syntax of the server name
•control of the email of the server administrator
•control of the identifier of the administrator
•check of the CSR

step2: Validation process:
In this step, another registration operator (different of the first one), check 
all the inserted data. This check consists of  the verification of inserted 
data against paper data. 
step3: Issuance of the certificate:
In this step, the only control consists of the check of the data in the CSR 
against the inserted data.  In the event of any error, the request is rejected.
step4: Check of the issued certificate:
In this step, another registration operator check the issued certificate before 
its delivery.

2) The deficiencies identified in those controls after the misissuance of each 
of these certificates are essentially:
•controls on the field subject alternative names :
    o this field must not contains private addresses
    o this filed must not contain 127.0.0.1 address
    o this filed must not contain a  local FQDN
    o this field must at least contain the CN

3) The implemented and planned improvements to the technical controls to 
prevent these errors from happening again:
The NDCA is implementing a new system (Managed PKI solution) which includes 
such controls in different fields (CN, mail of administrator, check of CSR, 
check of subject alternative names, ...).

Thanks
Olfa
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to