I'm resending this because it seems a number of people did not receive it.
It's in the mail archives, but it was not apparently delivered to a number of
recipients:
https://cabforum.org/pipermail/public/2016-September/008436.html
All 68 certificates have been revoked.
Doug
--------------------------------------------------------
From: Doug Beattie
Sent: Tuesday, September 20, 2016 4:48 PM
To: CABFPub
Subject: Public disclosure of 68 GlobalSign SSL certificates issued without EKU
or KU
Following a recent code update to our GlobalSign Certificate Centre (GCC)
platform, we have discovered a bug which manifests itself when orders are
re-issued with modified domains within the Subject Alternative Name field of
the certificate. When users added or removed SANs in their OV or EV
certificate between 29 August and 19 September the resulting certificates did
not contain the Key Usage (KU) or Extended Key Usage (EKU) extensions. KU is
optional according to the BRs, but EKU is mandatory. All certificates
contained Basic Constraints.
The issue was identified on Friday and the system patched Friday night.
Customers in the western region were notified Friday afternoon and those in
APAC and Japan on Monday and Tuesday (Monday was a holiday in Japan). The
support team was in contact with impacted customers Monday and Tuesday to
follow up and recommend they reissue the certificate and revoke the one
containing the issue. Those that could not be contacted had their certificates
revoked by the GlobalSIgn vetting team.
Currently, all but 1 certificate has been revoked. The one remaining will be
revoked with the next 24 hours and belongs to a high profile site in Japan who,
due to the timing of the issue, needs another day.
We have verified that in total 68 certificates were affected. 4 of these are
EV and 64 OV. The risk to the community and to our other customers is
therefore low as we have existing relationships with all customers and have
vetted them to a higher level of confidence to issue the original certificate
in the first place, although obviously the inconvenience on both sides is not
welcome.
We're putting new systems in place to parse issued certificates for compliance
with the BRs which will catch any future certificate content issues more
quickly.
For more information and the list of certificates, see the Mozilla bug filed
earlier today: https://bugzilla.mozilla.org/show_bug.cgi?id=1304089
Regards,
Doug
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public
