It's a trap. I do wish memes showed up here....

Censys shows something like 130 globalsign certs with abbreviated joi info. I 
think we show 16?
From: dev-security-policy <> on 
behalf of Corey Bonnell via dev-security-policy 
Sent: Thursday, August 22, 2019 8:57:42 PM
To: Doug Beattie <>; 
Subject: Re: GlobalSign: SSL Certificates with US country code and invalid 

Hi Doug,
Thank for you for posting this incident report to the list. I have one 
clarifying question in regard to the correctness criteria for the jurisST field 
when performing the scanning for additional problematic certificates. Is 
GlobalSign allowing state abbreviations in the jurisST field, or only full 
state names?

From: dev-security-policy <> on 
behalf of Doug Beattie via dev-security-policy 
Sent: Thursday, August 22, 2019 11:35
Subject: GlobalSign: SSL Certificates with US country code and invalid 

Today we opened a bug disclosing misissuance of some certificates that have
invalid State/Prov values:;data=02%7C01%7C%7Ceba31d5add5949261f1508d7271662df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637020849406465940&amp;sdata=sgDFjHsrYMjJMl02%2Bj3BH7Hw%2FUPNR3O8q6r8nr3OgZE%3D&amp;reserved=0

On Tuesday August 20th 2019, GlobalSign was notified by a third party
through the report abuse email address that two certificates were discovered
which contained wrong State information, either in the stateOrProvinceName
field or in the jurisdictionStateOrProvinceName field.

The two certificates in question were:;data=02%7C01%7C%7Ceba31d5add5949261f1508d7271662df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637020849406465940&amp;sdata=jXC4T%2BbvYYNdPJhXUukJT7cGEYgv0Lyg3qFO81S9xPE%3D&amp;reserved=0;data=02%7C01%7C%7Ceba31d5add5949261f1508d7271662df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637020849406465940&amp;sdata=KJ7FfggP5XKliFv%2FL2VLwpRtG8bcg7Eq%2FzFG6qx8ndQ%3D&amp;reserved=0

GlobalSign started and concluded the investigation within 24 hours. Within
this timeframe GlobalSign reached out to the Certificate owners that these
certificates needed to be replaced because revocation would need to happen
within 5 days, following the Baseline Requirements. As of the moment of
reporting, these certificates have not yet been replaced, and the offending
certificates have not been revoked. The revocation will happen at the latest
on the 25th of August.

Following this report, GlobalSign initiated an additional internal review
for this problem specifically (unexpected values for US states in values in
the stateOrProvinceName or jurisdictionStateOrProvinceName fields). Expected
values included the full name of the States, or their official abbreviation.
We reviewed all certificates, valid on or after the 21st of August, that
weren't revoked for other unrelated reasons.

To accommodate our customers globally, the stateOrProvinceName field or in
the jurisdictionStateOrProvinceName are text fields during our ordering
process. The unexpected values were not spotted or not properly corrected.
We have put additional flagging in place to highlight unexpected values in
both of these fields, and are looking at other remedial actions. None of
these certificates were previously flagged for internal audit, which is
completely randomized.

We will update with a full incident report for this and also disclose all
other certificates found based on our research.

dev-security-policy mailing list

dev-security-policy mailing list

Reply via email to