Melis: Thank you for this incident report. I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1539190 and assigned it to you to track this issue.
Will you please have one of your colleagues add you as a Kamu SM contact in CCADB? That will allow me to confirm that you are representing Kamu SM. - Wayne On Mon, Mar 25, 2019 at 7:16 AM Melis BALKAYA via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As a preliminary note, Kamu SM would like to express that the only > affected 2 certificates are the test certificates issued to our own domains > in order to fulfill the related requirement of Mozilla Root Inclusion > Request. > > 1. How your CA first became aware of the problem (e.g. via a problem > report submitted to your Problem Reporting Mechanism, a discussion in > mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and > the time and date. > > While Mozilla root inclusion process of Kamu SM, we had noticed that our > test certificates has serial number lower than 64 bits. Our system had been > updated to generate serial numbers with greater than 64 bit entropy in > 2017. > > We monitor mozilla.dev.security.policy group daily based and we became > aware of the EJBCA problem about DarkMatter concerns on 2019-02-26. > > 2. A timeline of the actions your CA took in response. A timeline is a > date-and-time-stamped sequence of all relevant events. This may include > events before the incident was reported, such as when a particular > requirement became applicable, or a document changed, or a bug was > introduced, or an audit was done. > > 2017-02-03 Kamu SM has issued three test certificates which are valid, > expired and revoked in order to fulfill the related Mozilla Root Inclusion > process requirement. > > 2017-03-07 In CP/CPS reviewing for Mozilla Root Inclusion Request of Kamu > SM, we had noticed that our random number generator was not generating > serial numbers with 64-bit entropy. Then, we changed the procedure for > generating serial numbers as greater than 64-bit entropy. Our “valid test > SSL certificate” was renewed with such a serial number. We did not take an > action for other two test certificates because one is revoked and the other > is expired. > > 2019-02-26 We became aware of the EJBCA problem about DarkMatter concerns. > > 2019-03-08 We have informed software developer team about the raised > issue. > > 2019-03-11 They checked all certificates issued by "CN=TUBITAK Kamu SM SSL > Sertifika Hizmet Saglayicisi - Surum 1”. They came to the conclusion that > none of the issued certificates other than the two test certificates > mentioned above are affected by this issue. > > 3. Whether your CA has stopped, or has not yet stopped, issuing > certificates with the problem. A statement that you have will be considered > a pledge to the community; a statement that you have not requires an > explanation. > > Since none of our customer certificates are affected by the serial number > entropy problem, we have continued to issue SSL certificates. > > 4. A summary of the problematic certificates. For each problem: number of > certs, and the date the first and last certs with that problem were issued. > > 2017-02-03 Kamu SM has issued three test certificates which are valid, > expired and revoked in order to fulfill the related Mozilla Root Inclusion > process requirement. > > 2019-03-19 With the announcement of the list of CAs that have been > noncompliant with BR 7.1, we have investigated that two test certificates > that are issued in the process of the Mozilla root inclusion request are > affected by this issue. > > 5. The complete certificate data for the problematic certificates. The > recommended way to provide this is to ensure each certificate is logged to > CT and then list the fingerprints or crt.sh IDs, either in the report or as > an attached spreadsheet, with one list per distinct problem. > > 2017-02-03 testsslrevoked.kamusm.gov.tr (0xbe64996b) > https://crt.sh/?id=95903318 > > 2017-02-03 testsslexpired.kamusm.gov.tr (0x76cb4f6c) > https://crt.sh/?id=95903322 > > 6. Explanation about how and why the mistakes were made or bugs > introduced, and how they avoided detection until now. > > Our certificate issuance system has been updated before we have included > Mozilla Root Store. > > 7. List of steps your CA is taking to resolve the situation and ensure > such issuance will not be repeated in the future, accompanied with a > timeline of when your CA expects to accomplish these things. > > Our affected test certificates were not valid since the beginning, and it > is not allowed to issue a valid subscriber certificate which has a serial > number lower than 64 bit in our system. All issued subscriber certificates > other than those test certificates comply with BR 7.1. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy