A Mozilla incident report has been crated to track this issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1536760
Doug From: Doug Beattie Sent: Tuesday, March 19, 2019 1:53 PM To: mozilla-dev-security-pol...@lists.mozilla.org Cc: Kathleen Wilson <kwil...@mozilla.com>; Wayne Thayer <wtha...@mozilla.com>; Arvid Vermote <arvid.verm...@globalsign.com> Subject: Virginia Tech misissuance report for 63 bit serial numbers Hi Wayne, Can you open a Mozilla ticket for one of our older customers, Virginia Tech (VT)? Thanks. =================== 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. We received the disclosure report [1]. Note that this is a technically constrained CA that stopped issuing certificates in April 2018. 2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done. 3/19/2019: GlobalSign researched VT issuance based on [1] and found that certificates issued prior to 1 August 2017 were impacted while certificates issued between 8/1/2017 and 4/26/2018 have sufficient serial number entropy. They are now obtaining certificates from other CAs so no further non-compliant certificates will be issued. 3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation. This CA stopped issuing certificates on 4/26/2018, so the certificates in question were all issued prior to this date. 4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. Initial reporting indicates there are 447 certificates issued between 9/30/2016 and 8/1/2017 5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. We are in the process of collecting the list of impacted certificates from VT. 6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. We will collect the information on how the mistake was made from VT in the coming days. 7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. This CA is no longer issuing certificates and it will be revoked as soon as all issued certificates have expired or have been replaced. References: [1] https://docs.google.com/spreadsheets/d/1K96XkOFYaCIYOdUKokwTZfPWALWmDed7znjC Fn6lKoc/edit#gid=1093195185
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy