Update on Siemens - Certificates with less than 64 bits of entropy The following is regarding the topic https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/vl5eq0PoJxY regarding the “Siemens Issuing CA Internet Server 2016” that is root signed by QuoVadis and independently audited and disclosed.
At the time the issue was reported, Siemens agreed to immediately take the CA offline, and it remains offline pending resolution. This was reported to the listserv by me on 7/20. Siemens confirmed a bug in their internally-developed CA software which meant it was issuing TLS/SSL with 32bit serial numbers, although the serial numbers were non sequential. Siemens informed their external auditors of the situation. It was found that 1201 currently valid certificates chained to the QuoVadis root were affected. An additional 137 currently valid certificates were issued under the previous "Siemens Issuing CA Internet 2013" chained to a Digicert root, noted in an email from Ben Wilson of Digicert yesterday. In the case of the QuoVadis-chained certificates, the certificates are virtually all of one year validity with expirations balanced across the calendar months (there are a handful of two and three year certificates, similar to the Digicert-chained population). The remaining Digicert-chained certificates all expire by end of November 2017. All certificates were issued to Siemens entities and Siemens-controlled domains. Next steps Siemens has moved to accelerate the previously planned replacement of their existing inhouse CA platform with a well-known open source CA with which QuoVadis is well familiar. QuoVadis and Siemens' auditors are coordinating with Siemens to confirm that the new CA configuration meets Baseline Requirements. It is worth noting that some BR controls, particularly related to vetting, are imposed by the Siemens certificate lifecycle system which will continue to be used with the new CA. Siemens will not recommence their inhouse SSL issuance until the new CA is active and confirmed compliant. The new CA is expected to come online in the second week of September. Siemens commits to logging new SSL from that CA in Certificate Transparency. Replacement Although the Siemens PKI is centralised, the certificates are issued to a wide variety of Siemens group companies around the world and are used on both infrastructure and high traffic websites. A rushed revocation and replacement of these certificates would have a negative business impact on Siemens that they believe outweighs the risk of the lower serials entropy (particularly given that they are nonsequential). We propose that Siemens begin the early replacement of the affected certificates as soon as the new CA infrastructure is approved, with the goal of completing the task by January 31, 2018. This will include all the affected certificates (ie those chained from both the QuoVadis and Digicert roots). While Siemens acknowledges that the affected certificates should not have occurred, we point out that they will all be replaced far in advance of the September 2019 date when industry-wide the last certificates issued before the BR change (to larger serial numbers) are scheduled to expire. We request that Siemens be allowed this expanded scope to conduct an orderly replacement of the affected certificates. Many thanks, Stephen Davidson QuoVadis _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy