In the course of normal communications with AT&T, we came across an SSL certificate that did not have the required AIA extension in it on Friday April 16th. We had a conference call shortly thereafter and they verified that one of their current EJBCA certificate profiles is missing this extension.
They think that the certificate profile was not maintained when they performed a recent EJBCA upgrade. They believe the upgrade was done in March and that most of the certificates that were replaced due to the 63 bit serial number incident have been replaced with certificates that do not contain the AIA extension. GlobalSign would have been detected this during our 100% audit of their March certificates; however due to AT&T staff vacation schedules, the March upload of issued certificates was delayed. We're working with them to obtain the timeline for the change, the dates during which they misissued certificates, the list of affected certificates, and the replacement and revocation schedule. It should be noted that these certificates are not posted to CT logs nor are they accessed via browsers as they are used within closed networks, but we'll get more details on their exact usage shortly. I've created this bug to track this issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1547691
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
