Hey Ryan, Here's the report from CTJ:
Number of affected certificates: One. After receiving the revocation request from DigiCert, CTJ scanned their certificate database for additional certificates. This is the only active certificate with a reserved IP. CTJ issued the g2-sanfull01.ctjssl.info for its own use. Cause of missing the revocation: This certificate was identified as requiring revocation back in February 2016. When this issued, they had already blocked all renewals and issuance of certificates with internal names/IP addresses. Although the certificate was scheduled for revocation after CTJ moved away using the IP address, they forgot to revoke this last cert. Because it was one certificate, CTJ did not automate the revocation, making it subject to human error and forgetfulness. Remediation actions: CTJ is revoking this cert. CTJ is also implementing a CABLint-like process to check all certificates each time industry standards change. They are scanning crt.sh daily to verify the compliance of all new certs. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Ryan Sleevi via dev-security-policy Sent: Saturday, August 12, 2017 8:56 PM To: Ben Wilson <ben.wil...@digicert.com> Cc: Jonathan Rudenberg <jonat...@titanous.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificates with reserved IP addresses Do you have an estimate on when you can provide an explanation to the community about how/why this happened, how many certificates it affected, and what steps DigiCert is taking to prevent these issues in the future? Do you have details about why DigiCert failed to detect these, and what steps DigiCert has in place to ensure compliance from its subordinate CAs? On Sat, Aug 12, 2017 at 10:19 PM, Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thanks. We've sent an email to the operators of the first two CAs (TI > Trust Technologies and Cybertrust Japan) that they need to revoke > those certificates. > Thanks again, > Ben > > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy-bounces+ben= > digicert....@lists.mozilla.org] On Behalf Of Jonathan Rudenberg via > dev-security-policy > Sent: Saturday, August 12, 2017 7:53 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Certificates with reserved IP addresses > > Baseline Requirements section 7.1.4.2.1 prohibits ipAddress SANs from > containing IANA reserved IP addresses and any certificates containing > them should have been revoked by 2016-10-01. > > There are seven unexpired unrevoked certificates that are known to CT > and trusted by NSS containing reserved IP addresses. > > The full list can be found at: https://misissued.com/batch/7/ > > DigiCert > TI Trust Technologies Global CA (5) > Cybertrust Japan Public CA G2 (1) > > PROCERT > PSCProcert (1) > > It’s also worth noting that three of the "TI Trust Technologies” > certificates contain dnsNames with internal names, which are > prohibited under the same BR section. > > Jonathan > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy