26 Mart 2019 Salı 19:19:24 UTC+3 tarihinde Wayne Thayer yazdı: > Melis: Thank you for this incident report. I have filed > https://bugzilla.mozilla.org/show_bug.cgi?id=1539190 and assigned it to you > to track this issue. > > Will you please have one of your colleagues add you as a Kamu SM contact in > CCADB? That will allow me to confirm that you are representing Kamu SM. > > - Wayne > > On Mon, Mar 25, 2019 at 7:16 AM Melis BALKAYA via dev-security-policy < > [email protected]> wrote: > > > As a preliminary note, Kamu SM would like to express that the only > > affected 2 certificates are the test certificates issued to our own domains > > in order to fulfill the related requirement of Mozilla Root Inclusion > > Request. > > > > 1. How your CA first became aware of the problem (e.g. via a problem > > report submitted to your Problem Reporting Mechanism, a discussion in > > mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and > > the time and date. > > > > While Mozilla root inclusion process of Kamu SM, we had noticed that our > > test certificates has serial number lower than 64 bits. Our system had been > > updated to generate serial numbers with greater than 64 bit entropy in > > 2017. > > > > We monitor mozilla.dev.security.policy group daily based and we became > > aware of the EJBCA problem about DarkMatter concerns on 2019-02-26. > > > > 2. A timeline of the actions your CA took in response. A timeline is a > > date-and-time-stamped sequence of all relevant events. This may include > > events before the incident was reported, such as when a particular > > requirement became applicable, or a document changed, or a bug was > > introduced, or an audit was done. > > > > 2017-02-03 Kamu SM has issued three test certificates which are valid, > > expired and revoked in order to fulfill the related Mozilla Root Inclusion > > process requirement. > > > > 2017-03-07 In CP/CPS reviewing for Mozilla Root Inclusion Request of Kamu > > SM, we had noticed that our random number generator was not generating > > serial numbers with 64-bit entropy. Then, we changed the procedure for > > generating serial numbers as greater than 64-bit entropy. Our “valid test > > SSL certificate” was renewed with such a serial number. We did not take an > > action for other two test certificates because one is revoked and the other > > is expired. > > > > 2019-02-26 We became aware of the EJBCA problem about DarkMatter concerns. > > > > 2019-03-08 We have informed software developer team about the raised > > issue. > > > > 2019-03-11 They checked all certificates issued by "CN=TUBITAK Kamu SM SSL > > Sertifika Hizmet Saglayicisi - Surum 1”. They came to the conclusion that > > none of the issued certificates other than the two test certificates > > mentioned above are affected by this issue. > > > > 3. Whether your CA has stopped, or has not yet stopped, issuing > > certificates with the problem. A statement that you have will be considered > > a pledge to the community; a statement that you have not requires an > > explanation. > > > > Since none of our customer certificates are affected by the serial number > > entropy problem, we have continued to issue SSL certificates. > > > > 4. A summary of the problematic certificates. For each problem: number of > > certs, and the date the first and last certs with that problem were issued. > > > > 2017-02-03 Kamu SM has issued three test certificates which are valid, > > expired and revoked in order to fulfill the related Mozilla Root Inclusion > > process requirement. > > > > 2019-03-19 With the announcement of the list of CAs that have been > > noncompliant with BR 7.1, we have investigated that two test certificates > > that are issued in the process of the Mozilla root inclusion request are > > affected by this issue. > > > > 5. The complete certificate data for the problematic certificates. The > > recommended way to provide this is to ensure each certificate is logged to > > CT and then list the fingerprints or crt.sh IDs, either in the report or as > > an attached spreadsheet, with one list per distinct problem. > > > > 2017-02-03 testsslrevoked.kamusm.gov.tr (0xbe64996b) > > https://crt.sh/?id=95903318 > > > > 2017-02-03 testsslexpired.kamusm.gov.tr (0x76cb4f6c) > > https://crt.sh/?id=95903322 > > > > 6. Explanation about how and why the mistakes were made or bugs > > introduced, and how they avoided detection until now. > > > > Our certificate issuance system has been updated before we have included > > Mozilla Root Store. > > > > 7. List of steps your CA is taking to resolve the situation and ensure > > such issuance will not be repeated in the future, accompanied with a > > timeline of when your CA expects to accomplish these things. > > > > Our affected test certificates were not valid since the beginning, and it > > is not allowed to issue a valid subscriber certificate which has a serial > > number lower than 64 bit in our system. All issued subscriber certificates > > other than those test certificates comply with BR 7.1. > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > >
Wayne: I have been added to CCADB as a Kamu SM Contact. Thanks, -Melis Şimşek _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
