On Tuesday, October 16, 2018 at 7:19:07 PM UTC-4, Matt Palmer wrote: > On Tue, Oct 16, 2018 at 02:18:39PM -0700, identrust--- via > dev-security-policy wrote: > > 5.Explanation about how and why the mistakes were made, and not caught and > > fixed earlier. > > > > IdenTrust: The certificate was generated for a server within IdenTrust. > > The certificate contained internal domain names which were not reachable > > externally. Two domain names in the SAN (Autodiscover.identrus.int and > > Mercury.identrus.int) were included at that time. When the certificate > > was generated, these domains were internally hosted domains. > > This doesn't explain why the mistakes were made, nor does it explain why > they were not caught and fixed earlier. IdenTrust:IdenTrust has strict procedures regarding issuance of publicly trusted website certificates. However at the time of this certificate issuance (2015) the procedures did allow ability to request exceptions for IdenTrust internal deployments that were not accessible externally. In this particular case, there was an exception requested by IT staff to our registration desk and was escalated and granted through a risk management process as the certificate and associated server in question was not expected to be accessible externally and the server was to be operational only for short duration. However due to human error in implementation the server was made available external to our network. Also due to human error, the IT staff failed to request certificate revocation when the certificate was no longer needed. Upon discovering of this misissuance on 02/22/2018, IdenTrust updated the website certificate approval procedures to eliminate the ability to request exceptions to the standard domain validation\verification procedures. Please note that these website issuance procedures apply to all applications regardless of the TLD(s) requested in the certificate application. > > > 6. List of steps your CA is taking to resolve the situation and ensure > > such issuance will not be repeated in the future, accompanied with a > > timeline of when your CA expects to accomplish these things. > > > > IdenTrust: Post 02/22/2018, IdenTrust implemented a change in the > > certificate approval processes that will prevent the domain names with the > > .int TLD from being approved. > > What about other non-existent TLDs? > > - Matt IdenTrust: Our website certificate issuance procedures (including domain validation\verification and procedures for handling High Risk Certificate Requests) apply to all requests containing any TLDs. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Identrust Commercial Root CA 1 EV Request
identrust--- via dev-security-policy Wed, 17 Oct 2018 15:10:35 -0700
- Re: Identrust Commercial Root CA... Nick Lamb via dev-security-policy
- Re: Identrust Commercial Ro... Wayne Thayer via dev-security-policy
- Re: Identrust Commercia... identrust--- via dev-security-policy
- Re: Identrust Commercial Root CA... identrust--- via dev-security-policy
- Re: Identrust Commercial Root CA... nicholas.hatch--- via dev-security-policy
- Re: Identrust Commercial Ro... identrust--- via dev-security-policy
- Re: Identrust Commercia... Matt Palmer via dev-security-policy
- Re: Identrust Comme... Jakob Bohm via dev-security-policy
- Re: Identrust C... identrust--- via dev-security-policy
- Re: Identrust C... identrust--- via dev-security-policy
- Re: Identrust Comme... identrust--- via dev-security-policy
- Re: Identrust C... Matt Palmer via dev-security-policy
- Re: Identr... identrust--- via dev-security-policy
- Re: Id... Wayne Thayer via dev-security-policy
- Re: Identr... identrust--- via dev-security-policy