Hi everyone,
On Friday at 1:00 pm, we accidently introduced a bug into our issuance system that resulted in five serverAuth-code signing certificates that did not comply with the Baseline Requirements. The change modified a handful of code signing certificates into a pseudo- SSL profile. Because they were intended to be code signing certificates, the certificates issued off a code-signing intermediate (with code-signing as the sole EKU). The certificates contain a servauth EKU despite the intermediate's EKU restriction. The certificates also lack a domain name. Instead, the CN and dNSName include the code signing applicant's name. Because the certs lack a domain name and there is an EKU mismatch between the issuer and end entity certs, the certs can't be misused. Our systems detected the issue shortly after the change. We corrected the code, and revoked the certificates. We already scanned our entire certificate database to ensure these are only the certificates affected by the bug. The certificates in question are: * 02CD2F16F3CA4FCC7378C917FFD5F6A0 * 09A88902AF0698841167E814DB8B3FB8 * 0D7C350D52821BFD2326270B9215DCE5 * 0356D3A74CFA29BB5E65569E0532F134 * 089FBE93D335ADB8BDFCDCF492083B68 The bug was introduced, ironically, in code we deployed to detect potential errors in cert profiles. This error caused the specified code signing certificates to think they needed dNSnames and serverAuth. Let me know if you have questions. Thanks, Jeremy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
