On Mon, Oct 29, 2018 at 1:56 PM Juan Angel Martin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Hello, > > "MULTICERT SSL Certification Authority 001" is a cross-certificate’s CN. > > https://crt.sh/?id=479956216 > Issuer: (CA ID: 5842) > commonName = MULTICERT Root Certification Authority 01 > organizationName = MULTICERT - Serviços de Certificação Electrónica S.A. > countryName = PT > Validity > Not Before: Dec 12 16:00:08 2017 GMT > Not After : Jun 12 16:00:08 2030 GMT > Subject: (CA ID: 84368) > commonName = MULTICERT SSL Certification Authority 001 > organizationalUnitName = Certification Authority > organizationName = MULTICERT - Serviços de Certificação Electrónica S.A. > countryName = PT > > https://crt.sh/?id=573264407 > Issuer: (CA ID: 1114) > commonName = Global Chambersign Root - 2008 > organizationName = AC Camerfirma S.A. > serialNumber = A82743287 > localityName = Madrid (see current address at www.camerfirma.com/address) > countryName = EU > Validity > Not Before: Jul 3 12:01:18 2018 GMT > Not After : May 20 12:01:18 2025 GMT > Subject: (CA ID: 84368) > commonName = MULTICERT SSL Certification Authority 001 > organizationalUnitName = Certification Authority > organizationName = MULTICERT - Serviços de Certificação Electrónica S.A. > countryName = PT > > The first one is included into this audit attestation letter that > MULTICERT sent us (intermediate CA #5) > http://docs.camerfirma.com/publico/Ficheros/I1002_v2_EN_Audit_letter_eIDAS_SSL.PDF > > We've claimed in Salesforce that the audits are the same as the parent > interpreting that it's in the scope of this audit (what is obviously an > error). > Thanks for replying. The issue https://bugzilla.mozilla.org/show_bug.cgi?id=1502957 was filed regarding this, so it would be good to follow the incident report. While hindsight is 20/20, and it's encouraging you acknowledge this as clearly an error, it would be useful for the community to treat this as an incident and try to understand what the root causes of these errors. "Human error" doesn't really help devise appropriate solutions and mitigations. Exploring factors such as how the disclosures are made, what the disclosure review process is, how that information is compared is more useful to the community. It sounds like you did have additional information and had the audit material ready, so understanding how that ended up failed to be included in Mozilla is good. While improvements to CCADB in terms of programattic reading of audit reports would have caught this discrepency, it may be useful for both AC Camerfirma - and all CAs - to ensure their disclosures are appropriate based on the /issued/ certificate, and not just the audit statement. That is, because of the existence of the cross-certificate, under AC Camerfirma's hierarchy it was distinct. CCADB tries to make this clear, in that each certificate only lists a single 'parent' (in this case, this intermediate would be listed with the parent of Camerfirma's certificate), but I suspect that if other CAs have made this mistake, or other issues exist with Camerfirma's disclosure, this would be taken very unkindly by the community. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy