In the cause of the other discussion it was revealed that EJBCA by PrimeKey has apparently:
1. Made serial numbers with 63 bits of entropy the default. Which is not in compliance with the BRs for globally trusted CAs and SubCAs. 2. Mislead CAs to believe this setting actually provided 64 bits of entropy. 3. Discouraged CAs from changing that default. This raises 3 derived concerns: 4. Any CA using the EJBCA platform needs to manually check if they have patched EJBCA to comply with the BR entropy requirement despite EJBCAs publisher (PrimeKey) telling them otherwise. Maybe this should be added to the next quarterly mail from Mozilla to the CAs. 5. Is it good for the CA community that EJBCA seems to be the only generally available software suite for large CAs to use? 6. Should the CA and root program community be more active in ensuring compliance by critical CA infrastructure providers such as EJBCA and the companies providing global OCSP network hosting. The above issue first came up in Message ID <mailman.266.1551055169.6709.dev-security-pol...@lists.mozilla.org> posted on Mon, 25 Feb 2019 08:39:07 UTC by Scott Rea, and subsequently lead to a number of replies, including at least one reply from Mike Kushner from EJBCA and a discovery that Google Trust Services was also hit with this issue to the tune of 100K non-compliant certificates. On 07/03/2019 18:59, Jakob Bohm wrote: > This thread is intended to be a catalog of general issues that come/came > up at various points in the DarkMatter discussions, but which are not > about DarkMatter specifically. > > Each response in this thread should have a subject line of the single > issue it discusses and should not mention DarkMatter except to mention > the Timestamp, message-id and Author of the message in which it came up. > > Further discussion of each issue should be in response to that issue. > > Each new such issue should be a response directly to this introductory > post, and I will make a few such subject posts myself. > > Once again, no further mentions of Darkmatter in this thread are > allowed, keep those in the actual Darkmatter threads. > Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
