Forwarding this for Brenda because the list's SPAM filter is preventing her from posting it:
*From:* Brenda Bernal <brenda.ber...@digicert.com> *Date:* June 1, 2018 at 1:33:46 PM PDT *To:* <dev-security-policy@lists.mozilla.org> *Subject:* *Invalid Country Code Issuance* Digicert has posted a bug (below) on our invalid country code issuance. Wayne requested us to post for forum visibility. 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. The Product team discovered on 2018-05-17 that we had certificates in our system that were issued from two incorrect Country codes, AN and XK, as they were addressing a revalidation question. 2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done. 2018/05/17 7:30 AM MT - Certificates were discovered via internal forum discussion 2018/05/17 4:16 PM MT - Certificates were confirmed by Engineering Manager with AN and XK country codes 2018/5/18 5:01 PM MT - 'AN' ISO country code removed from CA 2018/05/25 1:09 PM MT -'XK' ISO country code removed from CA 3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation. We have stopped issuing certificates using these country codes at the CA level through code changes as indicated in 2) above. 4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. 7 certs associated with AN country code and 10 certs associated with XK country code "XK" country code first issued was 2016/12/06 AND last issued was 2018/5/15 "AN" country code first issued was 2015/08/25 AND last issued was 2018/3/13 Here’s the link to the bug:https://bugzilla.mozilla.org/show_bug.cgi?id=1465600 for the crt.sh links to the certificates. 5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. We will provide when CT logs are updated. 6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. a. There was no product team in 2012 when the Baseline Requirement requiring the use of ISO country codes was passed. At the time, an engineer checked the ISO codes, and "AN" was still in transitionary state, while "XK" was included as a user-assigned value. It wasn't clear to that engineer, at that time, that it wasn't officially accepted by the ISO standards, and was allowed in error. We have updated our list to exclude user codes. b. The "AN" country code was a previously admissible country code by ISO standards. It was removed transitionally on 2011/12/15, which meant it could be used for 5 years while the new codes were adopted. However, it wasn't removed from our database as an allowed value in 2016, due to the lack of a product group and oversight. Product oversight has been established. We have an amended process in place to thoroughly review all ballot impact with subsequent baseline requirement changes that will need to be reflected in software and operational procedures. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy