SwissSign has identified the following incident: two Certificate signed with SHA1: Violation BR 7.3.1
1) During an internal audit on 05.09.2017 we found out that there are two certificates issued after 16.01.2015 and signed with a SHA1 hash. After the discovery of two certificates, the following actions where taken 05.09.2017 a) a security incident was opend b) contact the customers to revoke the two certificates c) identify the reason for the error d) the source of the error has been eliminated 2) On 06.09.2017 the Icident including a description of the treatment was reported to the community. 3) By identifying the error, the configuration of the software has been changed in such a way that the issuing of certificates with a SHA1 signature is no longer possible. 4) The following certificates were concerned: a) CN=v05dua. pnet. ch/[email protected]/OU=IT2/O=Post CH AG/L=Bern/ST=BE/C=CH Certificate Identifier: CEC009CA9554D878F118F9582749B3 SHA1 Fingerprint: 61: A6: DA: 9A: 3A: E7: F8: C0: E8:95: AC: 26: EB: BD: E1:96: A4:9D: 05: EE Issued: 16.01.2015 Revoked: 2017-09-05 15:37:10 b) CN=*. ari-ag. ch/[email protected]/OU=ARI AG/O=ARAR Informatik AG/L=Herisau/ST=AR/C=CH Certificate Identifier: 743DDD4855841D256DAFBD0448D957A439DEA593D SHA1 Fingerprint: 61: A6: DA: 9A: 3A: E7: F8: C0: E8:95: AC: 26: EB: BD: E1:96: A4:9D: 05: EE Issued 02/02/2017 Revoked 2017-09-06 08:42:42:42 5) The following reasons for misissunace have been identified: a) the correct configuration of the customer account to prevent the issuance of SHA1 certificates was activated delayed. b) a new functionality was introduced in the CA software in January 2017, which made it possible to reissue the certificate signed with SHA1. 6) The additional functionality introduced in January 2017 had a weak point. This vulnerability was only found because of the detailed error analysis performed by finding the certificate that was misissued. The misissued certificates where detected by the improved quality control. No further measures are currently planned. 7) The error has been fixed. Configurative measures ensured that no more certificates can be signed using SHA1. Best Regards Conny Enke _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
