Here's the incident report: 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, via a
discussion in mozilla.dev.security.policy, or via a Bugzilla bug), and the date. Email from Wayne Thayer Oct 1, 2018 2. A timeline of the actions your CA took in response. A. Oct 2, 2018 - Investigation began. B. Oct 4, 2018 - Found impacted certificate policy templates. C Oct 4, 2018 - All the certificates owners were contacted and agreed on issuance new BR compliant certificates in time convenient for them, preferably not later than by the end of this year and revocation current ones. D. Oct 8, 2018 - Fixed impacted certificate policy templates. E. Oct 8, 2018 - This disclosure. Ongoing: F. Replacement of impacted certificates G. Training of periodic certificate policy templates validation. 3. Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem. Confirmed. 4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. There are 46 certificates. The certificates were issued between Feb 20, 2017 and Sep 25, 2018. 5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. Added as attachment https://crt.sh/?caid=15985&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01 6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. The the incident concerns 46 certificates in the vast majority issued on KIR S.A. internal system purposes. The root cause of this issue was human error in certificate policy templates. Remediation items: 1. Reviewed all certificate policy templates for ensuring that all of them are BR comliant. 2. All the certificates owners were contacted and agreed on issuance new BR compliant certificates in time convenient for them, preferably not later than by the end of this year and revocation current ones. 3. Added procedural step for periodic certificate policy templates validation. We have by the way question about error: ERROR: The 'Organization Name' field of the subject MUST be less than 64 characters. According to https://www.ietf.org/rfc/rfc5280.txt and the note from this RFC 'ub-organization-name INTEGER ::= 64. For UTF8String or UniversalString at least four times the upper bound should be allowed. So what is the max length of this field for UTF8String? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy