CA first become aware: We first became aware of the malformed certificates https://crt.sh/?id=250008707&opt=cablint,x509lint,zlint,ocsp & https://crt.sh/?id=49843724&opt=zlint,cablint,x509lint,ocsp via a Bugzilla bug report on 5/18 and an email to practices@.
Timeline of the actions: 5/18 1am UTC: Upon reviewing, and verifying the certs did indeed have a defect we started our revocation and rekey process by contacting the certificate owners. The owners were not immediately reachable, and/or needed time to perform the certificate swap. 5/19 10pm UTC: Certificates were revoked, after owner contact. Well within the 24hr required period. CA has stopped issuing defect: The identified certificates were defective due to a bug, which dated back to pre-2015. This defect rarely occurred. February 2018 the issue reoccurred, but was caught/prevented by the linter. We corrected the defect on 2/8/2018. Summary of the problematic certificates & complete certificate data: The printable string defect was found in the following certificates: This bug: https://crt.sh/?id=250008707&opt=cablint,x509lint,zlint,ocsp https://crt.sh/?id=49843724&opt=zlint,cablint,x509lint,ocsp Additionally, upon scanning our certificate store we identified: https://crt.sh/?id=167970618&opt=cablint,zlint https://crt.sh/?id=246757501&opt=cablint,x509lint,zlint All certificates with the defect were revoked within 24hrs following identification. Explanation about how and why the mistakes were made or bugs introduced: The defect occurred by improper handling of extended Unicode character. List of steps your CA is taking to resolve the situation: Certificates were revoked, rekeyed. Linting was added to the provisioning pipeline to prevent future occurrences in November 2017. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
