Here's the incident report: 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, via a discussion in mozilla.dev.security.policy, or via a Bugzilla bug), and the date. Post-linting self check. 2. A timeline of the actions your CA took in response. A. Jan 18, 2019 - Investigation began. B. Jan 21, 2019 - Found impacted certificate policy template and blocked for further usage. C Jan 21, 2019 - Certificate was revoked D Jan 21, 2019 - Vendor was contacted E Jan 23, 2019 - Received reconfiguration procedure from Vendor F Jan 23, 2019 - Fixed impacted certificate policy template. G. Jul 8, 2019 - This disclosure.
3. Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem. Confirmed. 4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. 1 Certficate https://crt.sh/?id=1120102462&opt=zlint,ocsp 5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. https://crt.sh/?id=1120102462&opt=zlint,ocsp 6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. The the incident concerns 1 certificate. The root cause of this issue was pre-issuance linting configuration tests conducted to avoid certificate misissuance. One test case was to create certificate registration policy with SCT extensions but the policy was intetionally not listed in configuration for CT logging. The expected result of this tests was an error but it turned out that certificate was issued and logged. After raWe got an explanation fom Vendor: "This publication is due to the Default logging group. Any RP configured for CT that isn't in a different group will be picked up by the default group" Remediation items: 1. Reviewed all certificate policy templates dedicated for test cases for ensuring that all of them are BR comliant and none of them contains problematic configuration. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
