On September 8, 2017, a member our team discovered that one of our OCSP responder certificates had been signed with SHA-1 with a notBefore date of May 23, 2017. We initiated an investigation and discovered that there were a total of 4 such certificates, all issued on May 23 as annual renewals to support our old SHA-1 issuing CAs until the last of the certificates issued from them has expired or been revoked and the CAs themselves can be revoked. The 4 OCSP responder certificates have been posted to CT and are available from the following URLs:
https://crt.sh/?id=201187008 https://crt.sh/?id=214252118 https://crt.sh/?id=214252119 https://crt.sh/?id=214252120 Our OCSP responses are generated on the same HSMs that host our issuing CAs, so the renewal of the OCSP signing certificates is performed using a script executed directly on the CA servers during a scheduled quarterly CA room entry. This issuance was the result of an oversight in updating that script from the one used in 2016, in order to force the non-default behavior of signing the responder certificates with a different hash than the one with which the CA itself is signed. None of our active issuing CAs, nor our offline root CAs were affected. Our offline root CAs also use delegated OCSP responder certificates, which were also renewed on the same day, but were properly signed with SHA-256. Our active SHA-256 issuing CAs sign OCSP responses directly and thus do not require responder certificates. We are in the process of updating the OCSP responder issuing script and testing it in our test environment. We will then schedule a CA room entry to repeat this procedure to issue and deploy new SHA-256 signed certificate replacements and revoke the stated 4 certificates. We expect to complete this by the end of the month. The last still-valid certificate expiration dates for the 4 CAs are as follows: DVCA: October 24, 2017 OVCA: January 19, 2018 CLACA: December 10, 2018 CSCA: March 18, 2019 Based on these dates, we would anticipate revoking both DVCA and OVCA in Q1 2018, and performing one more OCSP responder renewal for CLACA and CSCA in mid-2018, for which we will use the updated SHA-256 script. As further insurance against this happening in the future, we have updated QA procedures to explicitly check the signature algorithm on OCSP responder certificate renewals when testing our quarterly CA room activities. We appreciate the efforts of the independent researchers who have identified a variety of issues as of late, and apologize for our oversight in this instance. We also welcome any further suggestions members of the community may provide on this matter. Best regards, Frank Corday Trustwave _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
