Mike, How do you plan to stop similar issues from occurring in future?
Thank you Burton On Wed, 28 Oct 2020, 10:55 Mike Kushner via dev-security-policy, < dev-security-policy@lists.mozilla.org> wrote: > Hi all, > > We were alerted to the fact that EJBCA does not calculate certificate and > OCSP validities in accordance with RFC 5280, which has been a requirement > since BR 1.7.1 The word "inclusive" was not caught, meaning that a > certificate/response issued by EJBCA will have a validity of one second > longer than intended by the RFC. > > This will only cause an incident for certificates of a validity of exactly > 398 days - any certificates with shorter validities are still within the > requirements. > > This has been fixed in the coming EJBCA 7.4.3, and all PrimeKey customers > were alerted a week ago and recommended to review their certificate > profiles and responder settings to be within thresholds. > > While investigating this we noticed that several non-EJBCA CAs seem to > issue certificates with the same non RFC-compliant validity calculation > (but still within the 398 day limit), so as a professional courtesy we wish > like to alert other vendors to review their implementations and lessen the > chance of any misissuance. > > Cheers, > Mike Agrenius Kushner > Product Owner, EJBCA > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy