Dear Jonathan, Given the misissued certificates in CT under the existing root, I believe this request should be rejected, and a new clean root with audits should be required before moving forward.
==>All the misissued certificates have been revoked by the NDCA and new correct ones were substituted to the clients. The TunServerCA2 has been audited yearly by a qualified auditor (LSTI, France) since 2015. A new root will not resolve these problems because all of these issues are a part of the validation process in the RA. That’s why we implemented new technical controls in the TunServerCA2 RA to reject all the CSR that contain any problem of this kind. The errors in the issued certificates indicate a lack of technical controls in addition to improperly implemented certificate profiles. Given this, an explanation should also be provided of what changes have been made to the issuance environment to ensure these types of mistakes will not happen under the new root. ==>Two technical controls have been implemented: 1. In the RA of the TunServerCA2, a specific coding has been done on the RA scripts. The Common Name specified in the CSR is, from now on, automatically included in the SAN entries. In addition to that, a control that ensures that the SAN entries contain the Common Name has been implemented. 2. An automatic check of TBS certificates using TBSCertificate crt.sh API has been added today and integrated into the issuance processes. Actually, we followed the suggestion of Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online published in https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/oTQ9OYgS8D4). There are a bunch of warnings, but these jumped out at me as being very serious: These certificates have a commonName that is not included as a dNSName SAN: - https://crt.sh/?id=99182607&opt=cablint ==>We investigated on the error of this case: The TunServerCA2 RA included only the SAN declared in the CSR. This problem has been resolved since last week by implementing a code that includes automatically the Common Name in the SAN entries. Moreover, all the domain names declared in the certificate (CN and Subject Alternative Names) are checked by the RA according to the 3.2.2.4 of the CAB/Forum. - https://crt.sh/?id=242366304&opt=cablint ==>We investigated on the error of this case: The TunServerCA2 RA included only the SAN declared in the CSR. This problem has been resolved since last week by implementing a coding that includes automatically the Common Name in the SAN entries. This certificate has a SAN with a domain ending in .local, which is a reserved special-use TLD: - https://crt.sh/?id=79470561&opt=cablint => We investigated on the error of this case: The TunServerCA2 RA included only the SAN declared in the CSR. This problem has been resolved by updating our CSR checker to include the inspection of all the SAN entries declared in the CSR that contain a “.local” in CN or in any of the SAN entries. All of these cases are automatically rejected by the TunServerCA2 RA and the RSC has to generate a new correct CSR. It’s important to remember that these are only the certificates that we know about via CT. There may be certificates with similar or other issues that are not logged. ==> We have checked all the issued certificates by a daemon which integrates the crt.sh API. This daemon checked the issued certificates one by one in the RA database: There are 15 misissued certificates since the issuance of the TunServerCA2. You find below the serial number of each one, the Error reported by cablint, x509lint and zlint: 41591505131605113993BB051309A9A8 cablint WARNING Certificate Policies should not contain notice references cablint INFO TLS Server certificate identified x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR CAs must include keyIdentifer field of AKI in all non-self-issued certificates zlint ERROR CAs must support key identifiers and include them in all certificates zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint NOTICE Subscriber Certificate: commonName is deprecated. ==> This issue has been fixed after the first audit in august 2015. 41591509041609025C4CD135DDB18DDD cablint WARNING Certificate Policies should not contain notice references cablint WARNING Name has deprecated attribute emailAddress cablint WARNING Special name in SAN cablint INFO TLS Server certificate identified x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR DNSNames must have a valid TLD. zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint NOTICE Subscriber Certificate: commonName is deprecated. ==> This certificate has been revoked and a new correct one issued for the client. 4159151023161021A29E9C80721A9E52 cablint WARNING Certificate Policies should not contain notice references cablint WARNING Extension should be critical for KeyUsage cablint WARNING Name has deprecated attribute emailAddress cablint INFO TLS Server certificate identified x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR Effective October 1, 2016, CAs must revoke all unexpired certificates that contains a reserved IP or internal name. zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint WARNING The keyUsage extension SHOULD be critical zlint NOTICE Subscriber Certificate: commonName is deprecated. ==> This certificate expired in the 21st of October 2016. 41591603111703106E72B4E6B753F8E3 cablint ERROR commonNames in BR certificates must be from SAN entries cablint WARNING Certificate Policies should not contain notice references cablint WARNING Extension should be critical for KeyUsage cablint WARNING Name has deprecated attribute emailAddress cablint INFO TLS Server certificate identified x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR The common name field in subscriber certificates must include only names from the SAN extension zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint WARNING The keyUsage extension SHOULD be critical zlint NOTICE Subscriber Certificate: commonName is deprecated. ==>This issue is fixed with the new automatic technicals controls. 41591603301703290E16B4E7B593C481 cablint WARNING Certificate Policies should not contain notice references cablint WARNING Extension should be critical for KeyUsage cablint WARNING Name has deprecated attribute emailAddress cablint WARNING Special name in SAN cablint INFO TLS Server certificate identified x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR DNSNames must have a valid TLD. zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint WARNING The keyUsage extension SHOULD be critical zlint NOTICE Subscriber Certificate: commonName is deprecated. ==> This issue is fixed with the new automatic technicals controls. 4159160412180411114E3A7D0FEDA87E cablint ERROR BR certificates must not contain rfc822Name type alternative name cablint ERROR commonNames in BR certificates must be from SAN entries cablint WARNING Certificate Policies should not contain notice references cablint WARNING Name has deprecated attribute emailAddress cablint INFO TLS Server certificate identified x509lint ERROR Invalid type in SAN entry x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR The common name field in subscriber certificates must include only names from the SAN extension zlint ERROR The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types. zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint NOTICE Subscriber Certificate: commonName is deprecated. ==> This issue is fixed with the new automatic technicals controls. 415916061017060953E7E2AC04D0FE54 cablint ERROR BR certificates must not contain rfc822Name type alternative name cablint ERROR commonNames in BR certificates must be from SAN entries cablint WARNING Certificate Policies should not contain notice references cablint WARNING Name has deprecated attribute emailAddress cablint INFO TLS Server certificate identified x509lint ERROR Invalid type in SAN entry x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR The common name field in subscriber certificates must include only names from the SAN extension zlint ERROR The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types. zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint NOTICE Subscriber Certificate: commonName is deprecated. ==> This issue is fixed with the new automatic technicals controls. 41591612091712080154AE004DC753E1 cablint ERROR BR certificates must not contain rfc822Name type alternative name cablint ERROR commonNames in BR certificates must be from SAN entries cablint WARNING Certificate Policies should not contain notice references cablint WARNING Name has deprecated attribute emailAddress cablint INFO TLS Server certificate identified x509lint ERROR Invalid type in SAN entry x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR The common name field in subscriber certificates must include only names from the SAN extension zlint ERROR The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types. zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint NOTICE Subscriber Certificate: commonName is deprecated. ==> This issue is fixed with the new automatic technicals controls. 4159170109180108A0A676CA5F5C3F70 cablint WARNING Certificate Policies should not contain notice references cablint WARNING Extension should be critical for KeyUsage cablint WARNING Name has deprecated attribute emailAddress cablint WARNING Special name in SAN cablint INFO TLS Server certificate identified x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR DNSNames must have a valid TLD. zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint WARNING The keyUsage extension SHOULD be critical zlint NOTICE Subscriber Certificate: commonName is deprecated. ==> This issue is fixed with the new automatic technicals controls. 4159170228180227F03C255A5BE535F6 cablint ERROR commonNames in BR certificates must be from SAN entries cablint WARNING Certificate Policies should not contain notice references cablint WARNING Extension should be critical for KeyUsage cablint WARNING Name has deprecated attribute emailAddress cablint INFO TLS Server certificate identified x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR The common name field in subscriber certificates must include only names from the SAN extension zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint WARNING The keyUsage extension SHOULD be critical zlint NOTICE Subscriber Certificate: commonName is deprecated. ==> This issue is fixed with the new automatic technicals controls. 41591706151906144B98D55B34AD958D cablint ERROR commonNames in BR certificates must be from SAN entries cablint WARNING Certificate Policies should not contain notice references cablint WARNING Extension should be critical for KeyUsage cablint WARNING Name has deprecated attribute emailAddress cablint INFO TLS Server certificate identified x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR Effective October 1, 2016, CAs must revoke all unexpired certificates that contains a reserved IP or internal name. zlint ERROR The common name field in subscriber certificates must include only names from the SAN extension zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint WARNING The keyUsage extension SHOULD be critical zlint NOTICE Subscriber Certificate: commonName is deprecated. ==>This issue is fixed with the new automatic technicals controls. 41591710251910243E52C0A86C15D20C cablint ERROR commonNames in BR certificates must be from SAN entries cablint WARNING Certificate Policies should not contain notice references cablint WARNING Name has deprecated attribute emailAddress cablint INFO TLS Server certificate identified x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR The common name field in subscriber certificates must include only names from the SAN extension zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint WARNING Sub certificates SHOULD include Subject Key Identifier in end entity certs zlint NOTICE Subscriber Certificate: commonName is deprecated. ==>This issue is fixed with the new automatic technicals controls. 4159180223200222BF945607FA19132A cablint ERROR commonNames in BR certificates must be from SAN entries cablint WARNING Certificate Policies should not contain notice references cablint WARNING Name has deprecated attribute emailAddress cablint WARNING Trailing whitespace in commonName cablint INFO TLS Server certificate identified x509lint ERROR The string contains non-printable control characters x509lint WARNING explicitText is not using a UTF8String x509lint WARNING Policy information has qualifier other than CPS URI x509lint INFO Subject has a deprecated CommonName x509lint INFO Unknown validation policy zlint ERROR Characters in labels of DNSNames MUST be alphanumeric, - , _ or * zlint ERROR DNSNames must have a valid TLD. zlint ERROR The common name field in subscriber certificates must include only names from the SAN extension zlint WARNING AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace zlint WARNING Compliant certificates SHOULD NOT use the noticeRef option zlint WARNING Compliant certificates should use the utf8string encoding for explicitText zlint NOTICE Subscriber Certificate: commonName is deprecated. ==> This certificate contained a special caracter in the CSR. This I just took a closer look at the thread, and it appears that some misissuance was pointed out in July and most of the controls that were suggested as a solution relied on humans. These controls appear to have predictably failed, as multiple misissued certificates are from this fall, well after the fixes should have been in place. It’s true that at the beginning only human controls were implemented. However, today many other technical controls are implemented in the TunServerCA2 RA, including: 1. The update of the CSR checker in the RA to reject automatically any CSR that contains a .local, IP address. 2. The certtbslint API is integrated in the TunServerCA2 RA to prohibit the issuance of a certificate which the result has a severity fatal or error. 3. Update in the code of TunServerCA2 RA to include automatically the CN in the SAN entries and to check if it is repeated. Dear Wayne, Olfa's most recent response indicates that additional/technical controls were added this week. However, I'm not convinced that they are adequate. ==> We hope that the additional technical controls described above, will convince you and we assure you that these controls will prohibit the occurrence of this type of mistakes from now on. Olfa _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
