Feedback will be appreciated on the following draft for the Bugzilla Bugs that I will be filing for the problems listed below.
Product: NSS Component: CA Certificate Mis-Issuance Whiteboard: [ca-compliance] Blocks: 1029147 Summary: <CA Name>: Non-BR-Compliant Certificate Issuance Description: The following problems have been found in certificates issued by your CA, and reported in the mozilla.dev.security.policy forum. Direct links to those discussions are provided for your convenience. To continue inclusion of your CA’s root certificates in Mozilla’s Root Store, you must respond in this bug to provide the following information: 1) Prompt confirmation that your CA has stopped issuing TLS/SSL certificates with the problems listed below. 2) Explanation about how and why the mistakes were made, and not caught and fixed earlier. 3) List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. 4) Regular updates to confirm when those steps have been completed. Note Section 4.9.1.1 of the CA/Browser Forum’s Baseline Requirements, which states: “The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: … 9. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement; 10. The CA determines that any of the information appearing in the Certificate is inaccurate or misleading; … 14. Revocation is required by the CA’s Certificate Policy and/or Certification Practice Statement; or 15. The technical content or format of the Certificate presents an unacceptable risk to Application Software Suppliers or Relying Parties (e.g. the CA/Browser Forum might determine that a deprecated cryptographic/signature algorithm or key size presents an unacceptable risk and that such Certificates should be revoked and replaced by CAs within a given period of time). However, it is not our intent to introduce additional problems by forcing the immediate revocation of certificates that are not BR compliant when they do not pose an urgent security concern. Therefore, we request that your CA perform careful analysis of the situation and if there is justification to not revoke the problematic certificates, then explain those reasons and provide a timeline for when the bulks of the certificates will expire or be revoked/replaced. We expect that your forthcoming audit statements will indicate the findings of these problems. If your CA will not be revoking the certificates within 24 hours in accordance with the BRs, then that will also need to be listed as a finding in your CA’s BR audit statement. We expect that your CA will work with your auditor (and supervisory body, as appropriate) and the Root Store(s) that your CA participates in to ensure your analysis of the risk and plan of remediation is acceptable. If your CA will not be revoking the problematic certificates as required by the BRs, then we recommend that you also contact the other root programs that your CA participates in to acknowledge this non-compliance and discuss what expectations their Root Programs have with respect to these certificates. The problems reported for your CA in the mozilla.dev.security.policy forum are as follows: ** Failure to respond within 24 hours after Problem Report submitted https://groups.google.com/d/msg/mozilla.dev.security.policy/PrsDfS8AMEk/w2AMK81jAQAJ ** <items listed below for the CA> ~~ END DRAFT ~~ Updated list: == Actalis == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Camerfirma == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ URI in dNSName SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/etp2Yz2fmM4/ayBTsfJnBgAJ == Certinomis == Invalidly long serial numbers (Serial Number > 20 Octets) https://groups.google.com/d/msg/mozilla.dev.security.policy/b33_4CyJbWI/74sItqcvBgAJ Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == certSIGN == Invalid common name and invalid SAN dnsName https://groups.google.com/d/msg/mozilla.dev.security.policy/ETG72kifv4k/2BD-CVDDAAAJ == Comodo == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == D-TRUST == dNSName containing '/' https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ Short / sequential-looking serial numbers https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ RESOLUTION: https://groups.google.com/d/msg/mozilla.dev.security.policy/UnR98QjWQQs/O-Hf5T4WBwAJ == DigiCert == (Bug #1389172 already created by Jeremy - for the first 3 items below) Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Invalidly long serial numbers (Serial Number > 20 Octets) https://groups.google.com/d/msg/mozilla.dev.security.policy/b33_4CyJbWI/74sItqcvBgAJ Serial Numbers less than 64-bit entropy https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/5bpr9yBgaYo/rJLOz0XPBQAJ Reserved IP addresses https://groups.google.com/d/msg/mozilla.dev.security.policy/inocepURbNQ/MmkeMvhyCAAJ == Disig == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == DocuSign == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Entrust == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. == e-Szigno SSL CA == Common Name not in SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/4oVzlN1xBgAJ == FNMT == "AC FNMT Usuarios” intermediate is not supposed to issue TLS server auth capable certs. [KATHLEEN: Add to OneCRL] https://groups.google.com/d/msg/mozilla.dev.security.policy/Qo1ZNwlYKnY/UrAodnoQBwAJ == GlobalSign == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. == Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) == Serial Numbers less than 64-bit entropy https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ == IdenTrust == pathLenConstraint with CA:FALSE https://groups.google.com/d/msg/mozilla.dev.security.policy/1q_aq5e0El4/LmfGUDmHBwAJ OCSP responder URL that has a HTTPS URI https://groups.google.com/d/msg/mozilla.dev.security.policy/jSHuE-Oc7rY/660iCGPZBgAJ == Izenpe == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ Serial Numbers less than 64-bit entropy https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ == Keynectis == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Let’s Encrypt == RESOLVED (no bug needed) Improperly normalized IDNs https://groups.google.com/d/msg/mozilla.dev.security.policy/g6_zGA2exXw/izYkdc7DBwAJ RESOLUTION: https://groups.google.com/d/msg/mozilla.dev.security.policy/nMxaxhYb_iY/AmjCI3_ZBwAJ == Microsec == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Netlock == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == PROCERT == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ URI in dNSName SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/etp2Yz2fmM4/ayBTsfJnBgAJ Reserved IP addresses https://groups.google.com/d/msg/mozilla.dev.security.policy/inocepURbNQ/MmkeMvhyCAAJ Common Name not in SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/4oVzlN1xBgAJ == QuoVadis == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Short / sequential-looking serial numbers https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == SECOM == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. == StartCom == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Staat der Nederlandend / PKIoverheid == RESOLVED (no bug needed) Short / sequential-looking serial numbers https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ RESOLUTION: https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/W1D4oZ__BwAJ == SwissSign == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Common Name not in SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/4oVzlN1xBgAJ == Symantec == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ Common Name not in SAN https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/4oVzlN1xBgAJ == Taiwan-CA Inc. (TWCA) == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == T-Systems == Certificates with metadata-only subject fields (at least one subject field that only contains ASCII punctuation characters) https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ Prevent further issuance of certs with N/A and other metadata but revocation not necessary in this case. Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == Visa == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == WISeKey == Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in the wrong position) https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ == _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy