On Dec 21 at 1715 UST we received a problem report (below) by email to [email protected] from Alex Gaynor relating to a TLS/SSL certificate issued by Swiss Government Public Trust Standard CA 02, a technically constrained external CA operated by Bundesamt fuer Informatik und Telekommunikation (BIT).
Specifically, a SAN in that certificate included a dNSName that ended with two \n characters: https://crt.sh/?id=282646337&opt=cablinthttps://crt.sh/?id=282646337&opt=cablint The certificate was revoked by the CA on Dec 22 at 1125 UST. Upon investigation, the CA reports that the misissuance was the result of administrator error during the manual input of the SAN entry. The misissuance will be reported to the CAs external auditors. The CA has undertaken to add linting as part of the issuance of their TLS/SSL certificates. Thanks to Alex Gaynor for reporting the issue. Regards, Stephen Davidson QuoVadis, a WISeKey company ------ From: Alex Gaynor [mailto:[email protected]] Sent: Thursday, December 21, 2017 1:15 PM To: Group - QuoVadis Compliance <[email protected]<mailto:[email protected]>> Subject: Misissued certificate Hi, I'm reporting a misissued certificate from one of your sub CAs: https://crt.sh/?id=282646337&opt=cablint Specifically, one of the dNSNames ends with two newline (\n) chracters, which are not valid is a DNS label. I am requesting you revoke this certificate and provide a post-mortem to MDSP. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
