Mike,

How do you plan to stop similar issues from occurring in future?

Thank you

Burton


On Wed, 28 Oct 2020, 10:55 Mike Kushner via dev-security-policy, <
dev-security-policy@lists.mozilla.org> wrote:

> Hi all,
>
> We were alerted to the fact that EJBCA does not calculate certificate and
> OCSP validities in accordance with RFC 5280, which has been a requirement
> since BR 1.7.1 The word "inclusive" was not caught, meaning that a
> certificate/response issued by EJBCA will have a validity of one second
> longer than intended by the RFC.
>
> This will only cause an incident for certificates of a validity of exactly
> 398 days - any certificates with shorter validities are still within the
> requirements.
>
> This has been fixed in the coming EJBCA 7.4.3, and all PrimeKey customers
> were alerted a week ago and recommended to review their certificate
> profiles and responder settings to be within thresholds.
>
> While investigating this we noticed that several non-EJBCA CAs seem to
> issue certificates with the same non RFC-compliant validity calculation
> (but still within the 398 day limit), so as a professional courtesy we wish
> like to alert other vendors to review their implementations and lessen the
> chance of any misissuance.
>
> Cheers,
> Mike Agrenius Kushner
> Product Owner, EJBCA
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to