Indident reports: ERROR IN DV OID VALUE (deviation 4)
How Telia became aware: Telia got preliminary CA audit report on 25th June 2018. One of its BR deviations was a finding that "17 Telia DV certificates had incorrectly same OID value that was used for Telia OV certificates." Timeline of actions: On the same day Telia fixed the OID value into DV profile so that error won't happen again. Telia's opinion is that the incorrect OID value has no impact on any common system but anyway Telia's plan is to revoke all incorrect certificates ASAP and latest at September 2018. Customers need to replace their original incorrect certificate with a new certificate provided by Telia. Telia will update this bug until all incorrect certificates are revoked. Summary and details of problematic certificates: About ~300 of Telia DV certificates for a single pilot DV Customer included OV OID 2.23.140.1.2.2 instead of DV OID 2.23.140.1.2.1. All incorrect ones were enrolled between 20-Mar-2018 and 25-Jun-2018. All are logged to CT and can be found using given dates and issuer "Telia Domain Validation SSL CA v1". Certificates are also available in Telia CA database. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now: Telia CA started to enroll DV SSL certificates in March 2018. Previously all Telia's SSL certificates were OV SSL certificates. The new certificate type was basically sub-type of Telia OV certificate but with fewer subject fields. Its profile was copied from OV and then modified, tested and piloted but still there was this error in the OID value that was undetected because it won't have any effect anywhere and was commonly used by Telia before. Steps to fix: 1. fix the DV profile; DONE 25-Jun-2018, no errors occurred after that 2. reproduce all incorrect certificates any provide those to Customer; ONGOING, planned to finnish 30-Sep-2018 3. revoke all incorrect ones; ONGOING, planned to finnish 30-Sep-2018 4. Telia CA decided to improve its testing process to avoid similar errors in the future; DONE 6-Jul-2018 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
