Hi, It might have been found, but there's a good chance it would have been bypassed anyhow. Since it was not a bug in the code, you would have to had analyzed it in the context of the discussions around b164, which I think there are probably very few people who could/would. I may be wrong, and we surely appreciate the more eyes on EJBCA the better. We love issue reports from the Community.
My take is that this was a bit of pure chance at play here. As EJBCA had used 8 octets serial numbers (64 bits) as default since 2001, and by coincidence CAB Forum chose exactly the same number, 64 bits (note that I speak only about the number itself here, not about the meaning). Simply by the similarity of those numbers it was overlooked that dragons were lurking. If CAB Forum had chosen 56, 72, 96 or any other random number, nobody would have missed it and compliant configurations would have been made. Generally, as you know, EJBCA has a wide array of use cases where CAB Forum is one important, but must remain configurable (down to 4 octets serials as example). An important user base as CAB Forum deserves compliant defaults of course, which has now been addressed by Mike and his team. Here's hoping for more code reviews! Cheers, Tomas On Friday, March 15, 2019 at 12:35:53 AM UTC+1, James Burton wrote: > (Forgot to post it to m.d.s.p) > > Your right that we all failed to conduct the proper due diligence source > code checks on EJBCA and therefore missed this important issue. We all need > to learn from this past mistake and implement better checks which prevents > issues like this that might arise in the future. > > Thank you, > > Burton > > On Thu, Mar 14, 2019 at 10:57 PM Ryan Sleevi <r...@sleevi.com> wrote: > > > > > > > On Thu, Mar 14, 2019 at 6:54 PM James Burton via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> Let's Encrypt CA software 'Boulder' is open source for everyone to browse > >> and check for issues. All other CAs should follow the Let's Encrypt lead > >> and open source their own CA software for everyone to browse and check for > >> issues. We might have found the serial number issue sooner. > >> > > > > Considering EJBCA is open-source, this does not seem that it would > > logically follow. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
