Am Dienstag, 12. Dezember 2017 16:19:22 UTC+1 schrieb Nick Lamb: > Hi, > > I have a couple of follow-up questions if I may: > > On Tue, 12 Dec 2017 02:09:47 -0800 (PST) > "cornelia.enke--- via dev-security-policy" > <[email protected]> wrote: > > > The subject information in the affected certificates were not > > validated correctly due to the misconfiguration. 10 certificates were > > issued based on this misconfiguration between 2017/12/06 12.10 p.m. > > UTC and 2017/12/08 3.40 p.m. UTC. > > Can you say more about what validation if any was still in place? Would > it have been possible, with this misconfiguration, for your CA to issue > certificates without any of the validation steps required by the BRs? > > Also, from the rest of the description it sounds as though the > misconfigured system was only used by an existing customer of > SwissSign, named Secardeo GmbH, is that correct? So in a similar > situation a hypothetical third party attacker would NOT be able to > obtain certificates without validation, only the (un)happy incident > customer?
You are completely right. The certificates were only issued to our partner Secardeo GmbH. SwissSign has set up a dedicated test account for this partner. The issued certificates were never installed on any system, either by Secardeo or by any other party. No other partner or customer where affected by this misconfiguration. As SwissSign only allows access to an account by certificates (clientAuth) and thus this account was only accessible by Secardeo no third party or any other customer was able to get such a EV certificate. > > > The implemented controls detected the misconfiguration within 24 > > hours. The incorrect configuration was nevertheless recorded as a > > security incident. The handling of the security incident by the > > information security management team is still underway. Further > > measures will be decided within this process. > > I suspect I speak for others on m.d.s.policy when I ask that you let us > know of any such measures that are decided. This sort of incident could > happen to many CAs, there's no need for everybody to learn the hard way. As an immediate measure we have decided not to setup any more test accounts on our productive environment until we have decided on long-term countermeasures. We will announce the decided countermeasures on Friday December 15th. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
