Stephen, Thanks for the report. I have a few questions: 1. Did you scan for any additional certificates containing this type of error that Quovadis or your subordinate CAs have issued? What were the findings? 2. Will the linting check be performed pre- or post-issuance? 3. When will the linting check be in place, and will it cover all certificates issued under a Quovadis root?
Wayne On Fri, Dec 22, 2017 at 1:54 PM, Stephen Davidson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Dec 21 at 1715 UST we received a problem report (below) by email to > complia...@quovadisglobal.com from Alex Gaynor relating to a TLS/SSL > certificate issued by Swiss Government Public Trust Standard CA 02, a > technically constrained external CA operated by Bundesamt fuer Informatik > und Telekommunikation (BIT). > > Specifically, a SAN in that certificate included a dNSName that ended with > two \n characters: > https://crt.sh/?id=282646337&opt=cablinthttps://crt.sh/?id= > 282646337&opt=cablint > > The certificate was revoked by the CA on Dec 22 at 1125 UST. > > Upon investigation, the CA reports that the misissuance was the result of > administrator error during the manual input of the SAN entry. The > misissuance will be reported to the CAs external auditors. The CA has > undertaken to add linting as part of the issuance of their TLS/SSL > certificates. > > Thanks to Alex Gaynor for reporting the issue. > > Regards, > Stephen Davidson > QuoVadis, a WISeKey company > > ------ > > From: Alex Gaynor [mailto:agay...@mozilla.com] > Sent: Thursday, December 21, 2017 1:15 PM > To: Group - QuoVadis Compliance <complia...@quovadisglobal.com<mailto: > complia...@quovadisglobal.com>> > Subject: Misissued certificate > > Hi, > > I'm reporting a misissued certificate from one of your sub CAs: > https://crt.sh/?id=282646337&opt=cablint > > Specifically, one of the dNSNames ends with two newline (\n) chracters, > which are not valid is a DNS label. > > I am requesting you revoke this certificate and provide a post-mortem to > MDSP. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
