Good Afertnoon In order to answer the points of the wiki, we make the following explanations
Issue D: URI in CN and dnsName SAN (December 2016) Procert: Based on internals test and validation, we contacting the client, we asking for a new CSR and proceed to revoke and reissue the certificate, supporting into the installation process. We completed those actions in this point. Issue E: Issuance of 1024-bit Certificate (December 2016) Procert: Based on internals test and validation, we contacting the client, we asking for a new CSR and proceed to revoke and reissue the certificate in 2048, supporting into the installation process. We completed those actions in this point. Issue G: Internal IP Address in SAN (March 2015 - March 2017) Procert: Based on internals test and validation, we contacting the client, we asking for a new CSR and proceed to revoke and reissue the certificate, supporting into the installation process. We completed those actions in this point. Issue I: CN Not Also In SAN (March 2016 - June 2017) Procert: Based on internals test and validation, we contacting the client, we asking for a new CSR and proceed to revoke and reissue the certificate, supporting into the installation process. We completed those actions in this point. Issue J: Use of keyCertSign in Leaf Certificates (October 2016 - June 2017) Procert: The template for this certificate was fixed and based on internals test and validation, we contacting the client, we asking for a new CSR and proceed to revoke and reissue the certificate, supporting into the installation process. We completed those actions in this point. Issue K: Internal DNS Names in Certificates (May - June 2017) Procert: Based on internals test and validation, we contacting the client, we asking for a new CSR and proceed to revoke and reissue the certificate, supporting into the installation process. We completed those actions in this point. Issue L: helloburgershack.com (June - July 2017) Procert: Based on internals test and validation, we contacting the client, we asking for a new CSR and proceed to revoke and reissue the certificate, supporting into the installation process. This client provides a production window after the next Tuesday in order to proceed with the revoke and the reissue of the certificate. Pending action. Issue M: CPS not in RFC 3647 or RFC 2527 Format (2011 - August 2017) Procert: After a validation process, we modify the RFC number in our documentation. We complete this point. Issue N: otherNames in Certificate SAN (2011 - August 2017) Procert: Based on internal testing and validation, we contact the customer, request a window to generate a new CSR and review and reissue the certificate, we will also support the installation process. We keep in touch with customers with active SSL to proceed with this point. We advance as much as possible with customers. Some of these certificates have expired. For the issue of new certificates, verify the observations contained in the number V Issue O: OCSP Servers Return "Good" for Non-Existent Certificates (Unknown - August 2017) Procert: As we explained into Mozilla Bug (1391058), when we applied the Microsoft tool, the system shows this message “In the Value data box, type the path to the directory you created in step 3 of the directory structure procedure and that contains the issued serial numbers, and then click OK.”. We refresh or restart the service, then, the OSCP registry is automatically deleted. For testing we use different versions of Windows Server (2008, 2012 and 2016) all the versions present the same result. Additionally we ask for an answer at Microsoft TechNet please https://social.technet.microsoft.com/Forums/windowsserver/es-ES/981f6e48-dc25-4eeb-a1d6-0bc72b9b4fc9/ocsp-online-responder-service-assume-a-certificate-that-is-not-included-in-the-crl-as-a-valid-and?forum=winserversecurity Now we stay contacting Microsoft in order to obtain and adequate procedure or batch. In paralleled we work in our own OCSP software. Issue P: Use of SHA-1 To Sign OCSP Responses (Unknown - August 2017) Procert: We check the standard, the OCSP certificate is SHA 256, the answer in this case is an observation. We work to check and validate the adjust to SHA 256 in the OCSP answer. This situation does not contravene any standard. Issue Q: CRL Distribution Points Using HTTPS (August 2012 - August 2017) Procert: Please validate the certificate issuance. This certificate is not issued by PSC PROCERT Issue R: Incorrect Encoding of or Inappropriate Use of TeletexString (December 2015 - August 2017) Based on internal testing and validation, we contact the customer, request a window to generate a new CSR and review and reissue the certificate, we will also support the installation process. We keep in touch with customers with active certificate to proceed with this point. We advance as much as possible with customers. Issue S: Non-Random Serial Numbers (September 2016 - August 2017) Procert: We check the observation. Procert technical staff applied the observation and fix the system in this particular point. Issue T: Inappropriate Key Usage Value of "Key Agreement" (October 2016 - August 2017) The template for this certificate was fixed and based on internals test and validation, we contacting the client, we asking for a new CSR and proceed to revoke and reissue the certificate, supporting into the installation process. Issue V: Failure to Respond Quickly To Problem Reports (August 2017) Procert: We tested our certificates in our test environment, we analyze the issues and apply measure to solve the issues, later, the team takes actions, modify certificates templates, work in the CA, made test, generated new certificates in our internal environment. Then contacted the clients and agree a revocation date, revoke all the certificates with problem and reissue the certificates with the standard complying, check the correct application of CA Browser Forum, implant a regular training program (including test (operational and theory) to our staff in order to prevent and solve any issue, finally proceed with a dismissal of one operator. Issue W: Test Certificates Issued in Publicly Trusted Hierarchies (August 2017) Procert: The certificate was revoked and we put enforce our security policy in order to prevent futures events. Also we instruct our operational staff regarding internal process and IT Security topics Issue X: High Percentage of Revocations (August 2017) Procert: Staff takes actions considering the observations includes into the Mozilla bug. In order to that, we made an internal audit, check the issuance process, detected al the unconformities, contacting the clients, agree with the clients a windows to revoke and installing the new certificates. In order to duly comply, we proceeded to revoke certificates with observations (Mozilla Bug). We planning replace all the certificates with observations. That why you can appreciate a high percent into the certificates revocations Note: A deadline has been set until the 14th of this month to revoke and re-issue certificates with problems _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
