Here's the incident report:
1. How your CA first became aware of the problem (e.g. via a problem report
submitted to your Problem Reporting Mechanism, via a discussion in
mozilla.dev.security.policy, or via a Bugzilla bug), and the date.
Email from Wayne Thayer Oct 1, 2018
2. A timeline of the actions your CA took in response.
A. Oct 2, 2018 - Investigation began.
B. Oct 4, 2018 - Found impacted certificate policy templates.
C Oct 4, 2018 - All the certificates owners were contacted and agreed on
issuance new BR compliant certificates in time convenient for them,
preferably not later than by the end of this year and revocation current
ones.
D. Oct 8, 2018 - Fixed impacted certificate policy templates.
E. Oct 8, 2018 - This disclosure.
Ongoing:
F. Replacement of impacted certificates
G. Training of periodic certificate policy templates validation.
3. Confirmation that your CA has stopped issuing TLS/SSL certificates with
the problem.
Confirmed.
4. A summary of the problematic certificates. For each problem: number of
certs, and the date the first and last certs with that problem were issued.
There are 46 certificates. The certificates were issued between Feb 20, 2017
and Sep 25, 2018.
5. The complete certificate data for the problematic certificates. The
recommended way to provide this is to ensure each certificate is
logged to CT and then list the fingerprints or crt.sh IDs, either in the report
or as an attached spreadsheet, with one list per distinct
problem.
Added as attachment
https://crt.sh/?caid=15985&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
6. Explanation about how and why the mistakes were made or bugs introduced,
and how they avoided detection until now.
The the incident concerns 46 certificates in the vast majority issued on KIR
S.A. internal system purposes. The root cause of this issue was human error in
certificate policy templates.
Remediation items:
1. Reviewed all certificate policy templates for ensuring that all of them are
BR comliant.
2. All the certificates owners were contacted and agreed on issuance new BR
compliant certificates in time convenient for them, preferably not later than
by the end of this year and revocation current ones.
3. Added procedural step for periodic certificate policy templates validation.
We have by the way question about error: ERROR: The 'Organization Name' field
of the subject MUST be less than 64 characters.
According to https://www.ietf.org/rfc/rfc5280.txt and the note from this RFC
'ub-organization-name INTEGER ::= 64. For UTF8String or UniversalString at
least four times the upper bound should be allowed. So what is the max length
of this field for UTF8String?
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
