Am Mittwoch, 19. Juli 2017 00:26:16 UTC+2 schrieb Charles Reiss: > https://crt.sh/?id=174827359 is a certificate issued by D-TRUST SSL > Class 3 CA 1 2009 containing the DNS SAN > 'www.lbv-gis.brandenburg.de/lbvagszit' (containing a '/') with a > notBefore in April 2017. >
Regarding this Topic, this incorpates the D-Trust PostMortem, Remidiation&Mitigation and Revocation Status. Regards, Kim Issue dNSName containing '/', https://crt.sh/?id=174827359 PostMortem: An incident was triggered by a bug in mozilla.dev.security.policy 07-08-2017. Issuance was stopped immediately at 07-08-2017 Analysis yielded the following results: Validation is based on both a four-eyed principle “human” approach as well as a tool based automated validation. The GUI of our validation software backend which our team is using had some usability and visualization related issues. This implied that the way multiple SANs were displayed had potential for mistakes. We released the improvement of the backend GUI on the 2017-08-24 as previously announced. The bug mentioned with respect to the CSR Validator was that the CSR validator didn’t filter prohibited characters correctly and was introduced by the previous release but was not recognized during test. Mitigation/Remediation: Existing Mitigations: Certificates require two independent parties to approve ("four eyes principle") Remediation: 2017-08-15 - The Certificate was revoked 2017-08-24 - Hotfix to systems to validate CSR against RFC 5280 2017-08-24 - Hotfix to update validation software UI to reduce risk of mistakes 2018-03-31 - Improved software testing to consider such cases In order to enhance the quality assurance during issuance we are setting up both manual random checks as well as automated compliance checks in our issuance system. Also a case-related awareness training was performed. Revocation plan: The cert was revoked, a new BR compliant cert was issued for the costumer _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy