Dear m.d.s.p, We at Google Trust Services have been following the thread discussing Dark Matter’s root inclusion request. In particular the elements of the thread that discuss the EJBCA serial number generation logic stood out to us.
This is because we use EJBCA for some of our own CAs. This element of the thread spurred us to review how our EJBCA based CAs were generating serial numbers. As a result of this review we determined our legacy EJBCA CAs were exhibiting the same behavior. Though we believe this not to represent a material security issue and we believe that this issue is systemic given it is a result of behavior of the most common CA software in use in the WebPKI, we are actively working on a post mortem and are evaluating if and how to replace the affected certificates. It is noteworthy that the associated EJBCA CAs have been patched and any new certificates will not have this issue. Additionally these CAs were already actively being deprecated for a new generation of EJBCA and a bespoke CA code base that do not exhibit this behavior. We will follow up with a post mortem when our investigation is complete. Ryan Hurst Product Manager Google Trust Services _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy