On Monday, October 15, 2018 at 7:15:26 PM UTC-4, Nick Hatch wrote: > On February 21 2018, I reported an unexpired certificate to Identrust which > contained SAN entries for several invalid .INT domains: > > https://crt.sh/?id=7852280 > > They acknowledged and revoked the certificate in a timely manner. However, I > find this event particularly bothersome: > > - This certificate was created for Identrust's own internal use. > - The issue of .int being a valid TLD has been communicated and well-known > since 2009 [1] > - I don't believe Identrust has disclosed this misissuance as required. > > -Nick > > [1] > https://groups.google.com/d/msg/mozilla.dev.security.policy/L9A67IryHu0/RzeaEgIjt48J Mr. Hatch is correct and although IdenTrust worked to resolve this issue immediately and responded to him accordingly, there was an oversight on our part not to file the formal misissuance report more broadly to the public forum. With our apologies, here is that report: 1.How your CA first became aware of the problems listed below (e.g. via a Problem Report, via the discussion in mozilla.dev.security.policy, or via this Bugzilla Bug), and the date. IdenTrust: We were made aware of this issue on 02/22/2018 from Nicholas Hatch via an email message to IdenTrust customer support.
2.Prompt confirmation that your CA has stopped issuing TLS/SSL certificates with the problems listed below. IdenTrust: The certificate in question was revoked on the same date, 02/22/2018 3. Complete list of certificates that your CA finds with each of the listed issues during the remediation process. The recommended way to handle this is to ensure each certificate is logged to CT and then attach a CSV file/spreadsheet of the fingerprints or crt.sh IDs, with one list per distinct problem. IdenTrust: Only one certificate was found to have SAN containing ‘.int’ domain. This certificate was issued on 5/21/2015 with cert.sh ID: https://crt.sh/?id=7852280. As noted in #2, this certificate was revoked on 2/22/2018. 4. Summary of the problematic certificates. For each problem listed below: number of certs, date first and last certs with that problem were issued. IdenTrust: Problematic certificates consists of only one certificate issued on 5/21/2015 and installed on IdenTrust server. As noted in #2, this certificate was revoked on 2/22/2018. 5.Explanation about how and why the mistakes were made, and not caught and fixed earlier. IdenTrust: The certificate was generated for a server within IdenTrust. The certificate contained internal domain names which were not reachable externally. Two domain names in the SAN (Autodiscover.identrus.int and Mercury.identrus.int) were included at that time. When the certificate was generated, these domains were internally hosted domains. When the problem was identified, IdenTrust revoked the certificate and issued a new certificate without the Autodiscover.identrus.int and Mercury.identrus.int. 6. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. IdenTrust: Post 02/22/2018, IdenTrust implemented a change in the certificate approval processes that will prevent the domain names with the .int TLD from being approved. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
