Thank you for sharing this information. On Mon, Mar 26, 2018 at 9:24 AM, juanangel.martingomez--- via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> > > We've done an automated analysis on 2018-03-13 of TSL/SSL certificates > that have been issued by our CAs: > - Camerfirma Corporate Server II - 2015 > - Camerfirma Corporate Server - 2009 > - AC CAMERFIRMA AAPP > > We discovered 81 certificates that we didn't discover in our previous > manual analyzes of crt.sh. These misissued certificates were due to the > fact that we had incorrect implementations of TSL/SSL certificates, each of > the errors was previously corrected. > > The reasons why they are incorrect are: > - (3) cablint ERROR commonNames in BR certificates must be from SAN entries > - (1) cablint ERROR DNSName is not FQDN > - (1) cablint ERROR DNSName is not in preferred syntax > - (11) cablint ERROR Incorrectly encoded TeletexString in Certificate > - (15) cablint FATAL ASN.1 Error in X520countryName: BER decoding failed > at octet 0: Parse error > - (30) cablint ERROR BR certificates must not contain directoryName type > alternative name > - (18) x509lint ERROR organizationName too long > - (2) x509lint ERROR The string contains non-printable control characters > > For all of these certificates, the registration process of the domains and > organizations included in them was carried out correctly. > > From the moment they were detected, we began the process of replacing them. > > There're 4 that have already expired. > > We've revoked 44 of the aforementioned certificates and we are in contact > with the rest of the subscribing organizations to proceed with their > substitution, given that most of them are Spanish public administration > bodies that offer public services and they are unable to replace them in an > agile way. > > I will expect this to be reflected on your next audit reports as a violation of BR 4.9.1.1 (9). All of these certificates are issued prior to the implementation of > technical controls that eliminate the possibility of repeating the issuance > of erroneous certificate with these errors. > > That is good news. We've implemented at 2018-02-14 a technical control that prevents the > issuance of a TSL/SSL certificate in case cablint or x509lint show an error > of type 'FATAL' or 'ERROR' so it is expected that there are no new > certificates with these errors issued by 'Camerfirma Corporate Server II - > 2015'. 'AC CAMERFIRMA AAPP' & 'Camerfirma Corporate Server - 2009' are > disabled for the issuance of certificates in our system. > > A report with the detected certificates is avaliable at: > https://bugzilla.mozilla.org/attachment.cgi?id=8962396 > > Best Regards > Juan Angel > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
