Re: AC Camerfirma misissued certificates automated analysis results

2018-05-24 Thread juanangel.martingomez--- via dev-security-policy 
Hello,

I've been informed that all certificates identified as erroneous in this 
analysis have been revoked.

Best Regards
Juan Angel
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: AC Camerfirma misissued certificates automated analysis results

2018-03-27 Thread Wayne Thayer via dev-security-policy 
Thank you for sharing this information.

On Mon, Mar 26, 2018 at 9:24 AM, juanangel.martingomez--- via
dev-security-policy  wrote:

>
>
> We've done an automated analysis on 2018-03-13 of TSL/SSL certificates
> that have been issued by our CAs:
> - Camerfirma Corporate Server II - 2015
> - Camerfirma Corporate Server - 2009
> - AC CAMERFIRMA AAPP
>
> We discovered 81 certificates that we didn't discover in our previous
> manual analyzes of crt.sh. These misissued certificates were due to the
> fact that we had incorrect implementations of TSL/SSL certificates, each of
> the errors was previously corrected.
>
> The reasons why they are incorrect are:
> - (3) cablint ERROR commonNames in BR certificates must be from SAN entries
> - (1) cablint ERROR DNSName is not FQDN
> - (1) cablint ERROR DNSName is not in preferred syntax
> - (11) cablint ERROR Incorrectly encoded TeletexString in Certificate
> - (15) cablint FATAL ASN.1 Error in X520countryName: BER decoding failed
> at octet 0: Parse error
> - (30) cablint ERROR BR certificates must not contain directoryName type
> alternative name
> - (18) x509lint ERROR organizationName too long
> - (2) x509lint ERROR The string contains non-printable control characters
>
> For all of these certificates, the registration process of the domains and
> organizations included in them was carried out correctly.
>
> From the moment they were detected, we began the process of replacing them.
>
> There're 4 that have already expired.
>
> We've revoked 44 of the aforementioned certificates and we are in contact
> with the rest of the subscribing organizations to proceed with their
> substitution, given that most of them are Spanish public administration
> bodies that offer public services and they are unable to replace them in an
> agile way.
>
> I will expect this to be reflected on your next audit reports as a
violation of BR 4.9.1.1 (9).

All of these certificates are issued prior to the implementation of
> technical controls that eliminate the possibility of repeating the issuance
> of erroneous certificate with these errors.
>
> That is good news.

We've implemented at 2018-02-14 a technical control that prevents the
> issuance of a TSL/SSL certificate in case cablint or x509lint show an error
> of type 'FATAL' or 'ERROR' so it is expected that there are no new
> certificates with these errors issued by 'Camerfirma Corporate Server II -
> 2015'. 'AC CAMERFIRMA AAPP' & 'Camerfirma Corporate Server - 2009' are
> disabled for the issuance of certificates in our system.
>
> A report with the detected certificates is avaliable at:
> https://bugzilla.mozilla.org/attachment.cgi?id=8962396
>
> Best Regards
> Juan Angel
>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

AC Camerfirma misissued certificates automated analysis results

2018-03-26 Thread juanangel.martingomez--- via dev-security-policy 


We've done an automated analysis on 2018-03-13 of TSL/SSL certificates that 
have been issued by our CAs:
- Camerfirma Corporate Server II - 2015
- Camerfirma Corporate Server - 2009
- AC CAMERFIRMA AAPP

We discovered 81 certificates that we didn't discover in our previous manual 
analyzes of crt.sh. These misissued certificates were due to the fact that we 
had incorrect implementations of TSL/SSL certificates, each of the errors was 
previously corrected.

The reasons why they are incorrect are:
- (3) cablint ERROR commonNames in BR certificates must be from SAN entries
- (1) cablint ERROR DNSName is not FQDN
- (1) cablint ERROR DNSName is not in preferred syntax
- (11) cablint ERROR Incorrectly encoded TeletexString in Certificate
- (15) cablint FATAL ASN.1 Error in X520countryName: BER decoding failed at 
octet 0: Parse error
- (30) cablint ERROR BR certificates must not contain directoryName type 
alternative name
- (18) x509lint ERROR organizationName too long
- (2) x509lint ERROR The string contains non-printable control characters

For all of these certificates, the registration process of the domains and 
organizations included in them was carried out correctly.

>From the moment they were detected, we began the process of replacing them.

There're 4 that have already expired.

We've revoked 44 of the aforementioned certificates and we are in contact with 
the rest of the subscribing organizations to proceed with their substitution, 
given that most of them are Spanish public administration bodies that offer 
public services and they are unable to replace them in an agile way.

All of these certificates are issued prior to the implementation of technical 
controls that eliminate the possibility of repeating the issuance of erroneous 
certificate with these errors.

We've implemented at 2018-02-14 a technical control that prevents the issuance 
of a TSL/SSL certificate in case cablint or x509lint show an error of type 
'FATAL' or 'ERROR' so it is expected that there are no new certificates with 
these errors issued by 'Camerfirma Corporate Server II - 2015'. 'AC CAMERFIRMA 
AAPP' & 'Camerfirma Corporate Server - 2009' are disabled for the issuance of 
certificates in our system.

A report with the detected certificates is avaliable at: 
https://bugzilla.mozilla.org/attachment.cgi?id=8962396

Best Regards
Juan Angel
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy