Apple: Non-compliant Common Name Length

2019-06-05 Thread Apple CA via dev-security-policy 
On June 4, Apple submitted an incident report: 
https://bugzilla.mozilla.org/show_bug.cgi?id=1556906, which is reposted below.
___
 

Incident Report

1. How your CA first became aware of the problem (e.g. via a problem report 
submitted to your Problem Reporting Mechanism, a discussion in 
mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the 
time and date.

On 2019-05-21 14:30 PT, the CA compliance team was notified by an internal 
developer that during the course of a code review, it was discovered that 
certificates had been issued with Common Names (CNs) longer than 64 characters. 

2. A timeline of the actions your CA took in response. A timeline is a 
date-and-time-stamped sequence of all relevant events. This may include events 
before the incident was reported, such as when a particular requirement became 
applicable, or a document changed, or a bug was introduced, or an audit was 
done.

2019-05-15 9:00 PT - Code review identified that the software that checks 
certificates for Baseline compliance was not enforcing a max length of 64 
characters for CNs.
2019-05-15 11:24 PT - The only two impacted certificates that were still valid 
were revoked by the developer who identified the issue.
2019-05-21 14:30 PT - Compliance team was notified about the issue.
2019-05-21 18:00 PT -  Risk assessment was completed. 
2019-05-22: 10:00 PT - Software fix was deployed to the production environment.
2019-05-23: 8:42 PT - Requested meeting with DigiCert (the Root CA) to discuss 
the incident.
2019-05-24: 13:00 PT - Notified Ernst & Young (WebTrust assessors).

3. Whether your CA has stopped, or has not yet stopped, issuing certificates 
with the problem. A statement that you have will be considered a pledge to the 
community; a statement that you have not requires an explanation.

A software update that prevents issuance of certificates with CNs longer than 
64 characters was deployed in production on 2019-05-22 at 10:00 PT.

4. A summary of the problematic certificates. For each problem: number of 
certs, and the date the first and last certs with that problem were issued.

28 certificates were impacted between 2014-11-28 and 2019-03-25.

5. The complete certificate data for the problematic certificates. The 
recommended way to provide this is to ensure each certificate is logged to CT 
and then list the fingerprints or crt.sh IDs, either in the report or as an 
attached spreadsheet, with one list per distinct problem.

A file has been attached with a list of all impacted certificates.

6. Explanation about how and why the mistakes were made or bugs introduced, and 
how they avoided detection until now.

The software that checks certificates for Baseline compliance prior to issuance 
and for quarterly self audits was not enforcing a max length of 64 characters 
for the CN.

7. List of steps your CA is taking to resolve the situation and ensure such 
issuance will not be repeated in the future, accompanied with a timeline of 
when your CA expects to accomplish these things.

i.  A software fix that enforces a maximum of 64 character CNs was deployed in 
production on May 22nd. 
ii.  The internal notification process will be enhanced by mid-June to minimize 
the time between identification of a suspected issue and communication to the 
compliance team.
iii.  We plan to implement a second linter (most likely zLint) by end of June, 
which is based on a separate code base, to strengthen the ability to prevent 
and detect mis-issuance.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: DigiCert validation issue

2019-06-05 Thread Jeremy Rowley via dev-security-policy 
Here's the link: https://bugzilla.mozilla.org/show_bug.cgi?id=1556948


-Original Message-
From: dev-security-policy  On
Behalf Of Jeremy Rowley via dev-security-policy
Sent: Wednesday, June 5, 2019 12:17 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: DigiCert validation issue

I just posted this incident report.  The summary is we had an issue where a
certain path allowed issuance of certs for example.com when only
www.example.com   was verified. This incident
happened previously with Comodo here:
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/PoMZvss_PR
o/TK8L-lK0EwAJ. At that time we checked out code, but missed a path. 



smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: DigiCert validation issue

2019-06-05 Thread Julien Cristau via dev-security-policy 
For those following along at home the incident report with details is in
bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1556948

Cheers,
Julien

On Wed, Jun 5, 2019 at 8:17 AM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> I just posted this incident report.  The summary is we had an issue where a
> certain path allowed issuance of certs for example.com when only
> www.example.com   was verified. This incident
> happened previously with Comodo here:
>
> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/PoMZvss_PR
> o/TK8L-lK0EwAJ
> .
> At that time we checked out code, but missed a path.
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy