On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy < [email protected]> wrote:
> On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote: > > What's it going to take for mozilla to set up near real-time > > monitoring/auditing of certs showing up in ct logs? > > > > Lee > > > > On 8/9/17, Alex Gaynor via dev-security-policy > > <[email protected]> wrote: > > > (Whoops, accidentally originally CC'd to m.d.s originally! Original > mail > > > was to IdenTrust) > > > > > > Hi, > > > > > > The following certificates appear to be misissued: > > > > > > https://crt.sh/?id=77893170&opt=cablint > > > https://crt.sh/?id=77947625&opt=cablint > > > https://crt.sh/?id=78102129&opt=cablint > > > https://crt.sh/?id=92235995&opt=cablint > > > https://crt.sh/?id=92235998&opt=cablint > > > > > > All of these certificates have a pathLenConstraint value with CA:FALSE, > > > this violates 4.2.1.9 of RFC 5280: CAs MUST NOT include the > > > pathLenConstraint field unless the cA boolean is asserted and the key > usage > > > extension asserts the keyCertSign bit. > > > > > > Alex > > > > > > -- > > > "I disapprove of what you say, but I will defend to the death your > right to > > > say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > > > "The people's good is the highest law." -- Cicero > > > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > > > > > > > > > > > > > > -- > > > "I disapprove of what you say, but I will defend to the death your > right to > > > say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > > > "The people's good is the highest law." -- Cicero > > > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > > _______________________________________________ > > > dev-security-policy mailing list > > > [email protected] > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > We aware of this situation and had previously introduced logic into our > certificate authority that a pathLengthConstraint will never be set for a > certificate other than a CA. We have confirmed that only the stated > five (5) > certificates contain the issue. Three (3) of these are real certificates; > however, one has expired. We have revoked the other two certificates. The > remaining two (2) are pre-certificates. It might be helpful if you can share more details regarding this situation, to better help the community understand the procedures Identrust has in place. 1) Were you aware of this issue before it was reported? It's unclear, based on this reply, whether this was something you were previously aware of, given the logic you mentioning having introduced. 2) Given this issue, have you examined other Identrust-issued certificates for issues - for example, running the corpus of issued certificates over the past year (whether from your own DB or logged in CT) - for other forms of violations, such as by using tools as certlint or cablint? 3) What processes and procedures are in place at Identrust to help ensure certificates properly adhere to RFC 5280? Why did these not detect the issue? What steps are being taken in the future to provide greater assurance of future conformance? While it's useful to hear that you've revoked those certificates, it's equally useful to help the community understand what, if any, changes that Identrust is making. If the answer is "There was a bug, we fixed it," then it's useful to understand what, if any, changes are being made to detect and/or prevent such bugs in the future. Cheers _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
