All, I have gone through the July/August posts in m.d.s.policy in order to determine which Bugzilla Bugs I should file.
There are two outliers: ~~ ** Undisclosed intermediates, or those missing audits I have been working diligently on intermediate cert disclosures in the CCADB for many months now. I greatly appreciate the web pages that Rob Stradling created to help me with this effort!!! This has also included work on adding revoked intermediate certs to OneCRL, and I hope the other major root store operators will catch up on this: https://crt.sh/revoked-intermediates Anyways, I have been working on those separately and in contact with those CAs, so I do not plan to file separate bugs, beyond what I have already done or am doing. ** Common Name not in SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/4oVzlN1xBgAJ It is not clear to me if I need to add this item to the Bugzilla Bugs that I will be filing. Please let me know if you think I need to add this item to the bugs. ~~ Here’s a summary of the bugs that I plan to file as a result of the recent activity in m.d.s.policy. (one bug per CA listed below) My expectation is that the CAs will provide the following information in their bugs: 1) Confirmation that the CA has stopped issuance of certs with these problems. 2) Explanation about how/why the mistakes were made, and not caught/fixed earlier. 3) List of steps the CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when the CA expects to accomplish these things. 4) Updates to confirm when those steps have been completed. I do *NOT* necessarily expect the CAs to revoke all of these certificates. I expect the CAs to do a careful analysis of the situation and determine/explain whether or not they will revoke the certs or let the expire. If the choice is to let them expire, there needs to be good reasons and a timeline for when the bulks of certs will expire. We (Mozilla community) will evaluate such information and provide constructive feedback, and I or Gerv will add a comment in the bug to confirm if the plan (when not revoking) is acceptable, or to state if we/Mozilla will require revocation. Thanks, Kathleen == Actalis == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Camerfirma == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ URI in dNSName SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/etp2Yz2fmM4/ayBTsfJnBgAJ == Certinomis == Invalidly long serial numbers (Serial Number > 20 Octets) https://groups.google.com/d/msg/mozilla.dev.security.policy/b33_4CyJbWI/74sItqcvBgAJ Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == certSIGN == Invalid common name and invalid SAN dnsName https://groups.google.com/d/msg/mozilla.dev.security.policy/ETG72kifv4k/2BD-CVDDAAAJ == Comodo == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == D-TRUST == dNSName containing '/' https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ Short / sequential-looking serial numbers https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ RESOLUTION: https://groups.google.com/d/msg/mozilla.dev.security.policy/UnR98QjWQQs/O-Hf5T4WBwAJ == DigiCert == (Bug #1389172 already created by Jeremy - for the first 3 items below) Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Invalidly long serial numbers (Serial Number > 20 Octets) https://groups.google.com/d/msg/mozilla.dev.security.policy/b33_4CyJbWI/74sItqcvBgAJ Serial Numbers less than 64-bit entropy https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/5bpr9yBgaYo/rJLOz0XPBQAJ Reserved IP addresses https://groups.google.com/d/msg/mozilla.dev.security.policy/inocepURbNQ/MmkeMvhyCAAJ == Disig == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == DocuSign == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Entrust == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. == FNMT == "AC FNMT Usuarios” intermediate is not supposed to issue TLS server auth capable certs. [KATHLEEN: Add to OneCRL] https://groups.google.com/d/msg/mozilla.dev.security.policy/Qo1ZNwlYKnY/UrAodnoQBwAJ == GlobalSign == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. == Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) == Serial Numbers less than 64-bit entropy https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ == IdenTrust == pathLenConstraint with CA:FALSE https://groups.google.com/d/msg/mozilla.dev.security.policy/1q_aq5e0El4/LmfGUDmHBwAJ OCSP responder URL that has a HTTPS URI https://groups.google.com/d/msg/mozilla.dev.security.policy/jSHuE-Oc7rY/660iCGPZBgAJ == Izenpe == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ Serial Numbers less than 64-bit entropy https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ == Keynectis == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Let’s Encrypt == Improperly normalized IDNs https://groups.google.com/d/msg/mozilla.dev.security.policy/g6_zGA2exXw/izYkdc7DBwAJ RESOLUTION: https://groups.google.com/d/msg/mozilla.dev.security.policy/nMxaxhYb_iY/AmjCI3_ZBwAJ == Microsec == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Netlock == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == PROCERT == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ URI in dNSName SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/etp2Yz2fmM4/ayBTsfJnBgAJ Reserved IP addresses https://groups.google.com/d/msg/mozilla.dev.security.policy/inocepURbNQ/MmkeMvhyCAAJ == QuoVadis == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Short / sequential-looking serial numbers https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == SECOM == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. == StartCom == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Staat der Nederlandend / PKIoverheid == Short / sequential-looking serial numbers https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ RESOLUTION: https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/W1D4oZ__BwAJ == SwissSign == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. == Symantec == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Taiwan-CA Inc. (TWCA) == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == T-Systems == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Visa == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == WISeKey == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
