Hi Adriano. Thanks for providing your incident report so promptly.
Some questions inline...
On 02/10/17 15:26, Adriano Santoni via dev-security-policy wrote:
<snip>
6) Explanation about how and why the mistakes were made or bugs
introduced, and how they avoided detection until now.
In the particular case of the generation of technically constrained
SubCA certificates, and only in that particular case, we use a special
procedure that operates in two phases: first, we generate a temporary
unconstrained SubCA certificate using our core Root CA software;
Are these "temporary unconstrained SubCA certificate"s publicly trusted?
That is, do they have valid signatures from your "Actalis
Authentication Root CA" (https://crt.sh/?caid=935) ?
If yes, can you confirm that you have disclosed them all to the CCADB?
<snip>
Since it had been Unicredit itself to ask for regeneration of their
SubCA certificate, on the very same day, our staff assumed that the
first SubCA certificate would have been discarded; but apparently, due
to some misunderstanding within Unicredit, it was mistakenly installed
on some sites and then removed, but it probably remained online long
enough for some crawler to detect it.
Are you suggesting that "discarding" a certificate makes it acceptable
to reuse the same serial number in another certificate?
<snip>
- revocation of the affected SubCA certificate is scheduled for Oct 4th,
EOB.
Nit: revocation of *both* affected SubCA certificates, since they share
the same serial number.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
