Today we opened a bug disclosing misissuance of some certificates that have invalid State/Prov values:
https://bugzilla.mozilla.org/show_bug.cgi?id=1575880 On Tuesday August 20th 2019, GlobalSign was notified by a third party through the report abuse email address that two certificates were discovered which contained wrong State information, either in the stateOrProvinceName field or in the jurisdictionStateOrProvinceName field. The two certificates in question were: https://crt.sh/?id=1285639832 https://crt.sh/?id=413247173 GlobalSign started and concluded the investigation within 24 hours. Within this timeframe GlobalSign reached out to the Certificate owners that these certificates needed to be replaced because revocation would need to happen within 5 days, following the Baseline Requirements. As of the moment of reporting, these certificates have not yet been replaced, and the offending certificates have not been revoked. The revocation will happen at the latest on the 25th of August. Following this report, GlobalSign initiated an additional internal review for this problem specifically (unexpected values for US states in values in the stateOrProvinceName or jurisdictionStateOrProvinceName fields). Expected values included the full name of the States, or their official abbreviation. We reviewed all certificates, valid on or after the 21st of August, that weren't revoked for other unrelated reasons. To accommodate our customers globally, the stateOrProvinceName field or in the jurisdictionStateOrProvinceName are text fields during our ordering process. The unexpected values were not spotted or not properly corrected. We have put additional flagging in place to highlight unexpected values in both of these fields, and are looking at other remedial actions. None of these certificates were previously flagged for internal audit, which is completely randomized. We will update with a full incident report for this and also disclose all other certificates found based on our research.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy