On Wednesday, August 9, 2017 at 12:22:53 AM UTC+9, Fiedler, Arno wrote:
> Dear Mozilla Security Policy Community,
> Thanks for the advice about the short serial numbers and apologies for the 
> delayed response.
> Since 2016, all D-TRUST TLS certificates based on electronic Certificate 
> Requests have a certificate serial number which includes 64 bits of entropy.
> Between 2012 and July 6th, 2017 we produced a small number of certificates 
> with  paper-based Certificate Registration Requests using 64 bits of entropy 
> in the "DNqualifier" field instead of the serial number field.
> Since the 7th of July, 2017, all D-TRUST TLS-Certificates have 64 bits of 
> entropy in the serial number.
> I hope this helps and please do not hesitate to contact us if there are any 
> further questions.
> Best regards
> Arno Fiedler
> Standardization & Consulting
> Bundesdruckerei GmbH
> Kommandantenstraße 18 · 10969 Berlin · Deutschland
> Tel. :    + 49 30 25 98 - 3009
> Mobil: + 49 172 3053272
> arno.fied...@bdr.de · www.bundesdruckerei.de<http://www.bundesdruckerei.de>
> Sitz der Gesellschaft: Berlin · Handelsregister: AG Berlin-Charlottenburg HRB 
> 80443. USt.-IdNr.: DE 813210005
> Aufsichtsratsvorsitzender: Willi Berchtold
> Geschäftsführer: Ulrich Hamann (Vorsitzender), Christian Helfrich
> This message is intended only for the use of the individual or entity to 
> which it is addressed, and may contain information that is privileged, 
> confidential and exempt from disclosure under applicable law. If the reader 
> of this message is not the intended recipient, or the employee or agent 
> responsible for delivering the message to the intended recipient, we hereby 
> give notice that any dissemination, distribution or copying of this 
> communication is strictly prohibited. If you have received this message in 
> error, please delete the message and notify us immediately.
> Diese Nachricht kann vertrauliche und gesetzlich geschützte Informationen 
> enthalten. Sie ist ausschließlich für den Adressaten bestimmt. Wenn Sie nicht 
> der beabsichtigte Adressat sind, möchten wir Sie hiermit darüber informieren, 
> dass das Weiterleiten, Verteilen oder Kopieren dieser Mail nicht gestattet 
> ist. Wenn Sie diese Mail irrtümlicherweise erhalten haben, informieren Sie 
> uns bitte schnellstmöglich und löschen Sie bitte die Mail.

Thanks for acknowledging this, Arno, but I can't help but feel this is an 
insufficient and incomplete analysis.

Could you share more along the following:
1) How many certificates were affected?
2) How did you determine this?
3) Did you detect this prior to July 7?
4) If not, why not, given the availability of tools?
5) Have you completed an analysis of what the root cause of your failure to 
follow the Baseline Requirements was?
6) If so, what was it? If not, why not?
7) Was this detected by your audits?
8) If so, why was it not noted at the time? If not, what would you suggest be 
added to prevent this in the future?
9) What systematic steps have you taken to ensure compliance with the BRs in a 
timely fashion?

The goal here is not penance from a CA, nor is it granting indulgences or 
special dispensation - it's about demonstrating an awareness of the 
requirements and the opportunity to improve how a CA is managed to comply to 
these requirements, if it is to continue to be trusted as a CA.
dev-security-policy mailing list

Reply via email to