Hi Jonathan, When something like this occurs the Mozilla community asks for an incident report explaining how the incident occurred, what was done to remediate it, and what procedures and technical controls have been put in place to prevent a future recurrence of the problem. You can see documentation about that here: https://wiki.mozilla.org/CA/Responding_To_An_Incident
I am very interested in knowing how your registration authority infrastructure allowed an invalid (and unaudited) SAN to be issued. (Note that I am not a Mozilla representative, merely a member of the community who has seen many incident reports) -Paul On March 1, 2019 at 11:57:05 AM, 孙圣男 via dev-security-policy ( [email protected]) wrote: Dear Mozilla: This problem had been confirmed. We contacted the customer and confirmed this certificate haven't been deployed to production system, no damage is caused. This certificate had been revoked in March 1, 2019. We had fixed this bug in February 27 update. Best wishes! Jonathan Sun Certificate Product Manager International Coperation Group Tel: +86 010 80864127 -----邮件原件----- 发件人: Buschart, Rufus <[email protected]> 发送时间: 2019年2月28日 19:00 收件人: [email protected] 主题: Certificate Problem Report (9WG: CFCA certificate with invalid domain) Dear PKI team at CFCA! There is a misissued certificate https://crt.sh/?id=1231965201&opt=cablint,x509lint,zlin from your CA which is not revoked yet. I think you should have a look. With best regards, Rufus Buschart Siemens AG Information Technology Human Resources PKI / Trustcenter GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:[email protected] www.twitter.com/siemens www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 > -----Ursprüngliche Nachricht----- > Von: dev-security-policy > <[email protected]> Im Auftrag von > michel.lebihan2000--- via dev-security-policy > Gesendet: Mittwoch, 27. Februar 2019 08:54 > An: [email protected] > Betreff: CFCA certificate with invalid domain > > Hello, > > I noticed this certificate > https://crt.sh/?id=1231965201&opt=cablint,x509lint,zlint that has an > invalid domain `mail.xinhua08.con` in SANs. This looks like a typo and `mail.xinhua08.com` is present in other certificates. Such an issue makes me wonder about the quality of their validation. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
