> > - Microsec will check all the issued IVCP certificates looking for similar > issues - deadline 2020-03-20 >
Microsec has finished the detailed investigation on the issued TLS IVCP certificates looking for similar issues. The findings are the following: Microsec issued altogether 9 test certificates on 2019-10-01 and 2019-10-02 with 30 days validity. The purpose of the test was to issue DV and IV certificates from each subordinate CA which is used to issue these types of certificates. The test covered both the RSA-based hierarchy and the ECC-based new CA hierarchy. The test certificates were issued directly from the CA software by using the operator interface. The CA software forces the use of dual control. The RSA-based system is configured to use Certificate Transparency to fully comply with the present requirements. 4 of the 9 test certificates were issued in the RSA-based system. The ECC-based system was configured to issue the test certificates without Certificate Transparency, because this root is not trusted yet and none of the log servers issues SCT for this root. 5 of the 9 test certificates were issued in the ECC-based system. The Subject DN fields were configured according to the DV profile requirements, this way the issuance of the DV certificates was successful. The 2 successfully issued RSA-based DV certificates can be found in the crt.sh as https://crt.sh/?q=1947651733 https://crt.sh/?q=1944631156 The issuance of the test IV certificates was done using the same Subject DN fields by mistake. None of the operators identified the missing fields in case of IV certificates. The following RSA-based IV certificates were issued with missing fields in the Subject name: https://crt.sh/?q=1947655126 https://crt.sh/?q=1947655112 They are already included in the incident report and there are no other IV certificates issued under the RSA root with this problem. A similar set of 3 DV and 2 IV test certificates were issued under the ECC root, but without SCT, as explained above. Because of this, they can’t be found in the crt.sh. The 3 DV test certificates were correct. The 2 IV test certificates have the same problem: missing givenName, surName, localityName fields in the Subject DN. These certificates are already expired, so revocation is not possible. Microsec has only issued test TLS certificates under the ECC root so far. The cause of the problem was the same as for the RSA-based test certificates, so the remediation and preventive measures are the same too. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy