Yesterday, Apple submitted this preliminary incident report: https://bugzilla.mozilla.org/show_bug.cgi?id=1533655, which is reposted below.
On 2019-03-06 we determined that we were issuing certificates with non-compliant serial numbers because of the EJBCA issue [1]. We fixed the problem within 24 hours and stopped issuing non-compliant certificates as of the afternoon of 2019-03-07 and are working to address previously issued certificates. All impacted certificates were issued to Apple entities. To minimize impact to our users, we do not expect to revoke all impacted certificates within the 5-day requirement. We expect to provide a timeline for revoking all impacted certificates in a forthcoming update. Certificates issued by the following CA's were impacted: * Apple IST CA 2 - G1 (https://crt.sh/?id=5250464): TLS Server * Apple IST CA 8 - G1 (https://crt.sh/?id=21760447): TLS Server * Apple IST CA 5 - G1 (https://crt.sh/?id=12716200): S/MIME Based on our initial analysis, the number of certificates impacted are as follows: * TLS Server Certificates (from Apple IST CA 2 - G1, Apple IST CA 8 - G1) --Total number of impacted certificates (issued since 2016-09-30): ~878,000 --Total number of impacted certificates that are still valid (not expired and not revoked) as of 2019-03-07 3:20 PST: ~558,000 * S/MIME Certificates (from Apple IST CA 5 - G1) -- Total number of impacted certificates (issued since 2016-09-30): ~2,400 -- Total number of impacted certificates that are still valid (not expired and not revoked) as of 2019-03-07 3:20 PST: ~2,000 We expect to reply back with more details and a full incident report in a forthcoming update. [1] Configurable SN Entropy, Default Value Raised to 20 Octets (https://www.ejbca.org/docs/EJBCA_7.0.1_Release_Notes.html) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
