In recent weeks, a number of CAs have filed incident reports relating to mistakes made when setting critical flags in Subscriber certificate extensions since the TLSBRv2 profiles came into force. We thought it would be worth performing a comprehensive survey ourselves in order to discover if any similar incidents at other CAs had not yet been detected.
I've run [1] against the primary crt.sh DB, which caused it to trawl through the crt.sh ID space starting around the time TLSBRv2 went into force to identify any Subscriber certificate containing any common extension with its critical flag set incorrectly per §7.1.2.7.6. I've posted a report of the results at [2], which was generated using [3]. Seven further incidents were identified. I sent Certificate Problem Reports to the two CAs whose affected PKI hierarchies are trusted by root programs whose representatives are active in monitoring Bugzilla. Both of those CAs responded promptly and filed incident reports: [4] and [5]. Having gathered this data, today I've used it to cross-check the lists of affected certificates that CAs have provided with their incident reports. I was surprised to find two bugs ([6] and [7]) without any attached list of affected certificates. I also observed some patterns of "omissions" in the disclosed lists of affected certificates, for which I would like to call upon the root program owners to clarify their expectations; noting that the CCADB incident reporting requirements [8] say that each incident report's "Appendix must include a listing of the complete certificate details of all affected certificates": 1. Is a CA's incident report expected to disclose the affected certificates that have already expired prior to the CA's response to the incident? 2. Is a CA's incident report expected to disclose the affected certificates that have already been revoked prior to the CA's response to the incident? 3. Is a CA's incident report expected to disclose both an affected precertificate and its corresponding certificate? Or just one of the pair? [1] https://gist.github.com/robstradling/6a5ecca872cf28232d90638fc2c44ed5#file-check_extension_criticality-go [2] https://gist.github.com/robstradling/6a5ecca872cf28232d90638fc2c44ed5#file-report-csv [3] https://gist.github.com/robstradling/6a5ecca872cf28232d90638fc2c44ed5#file-generate_report-sh [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1888060 [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1888104 [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1887096 [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1883416 [8] https://www.ccadb.org/cas/incident-report -- Rob Stradling Senior Research & Development Scientist Sectigo Limited -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/MW4PR17MB47290848C0FE089BD12FA77AAA002%40MW4PR17MB4729.namprd17.prod.outlook.com.
