Re: Misissued certificate with improper characters in DNSname

2018-01-04 Thread Wayne Thayer via dev-security-policy
Stephen,

Thanks for the report. I have a few questions:
1. Did you scan for any additional certificates containing this type of
error that Quovadis or your subordinate CAs have issued? What were the
findings?
2. Will the linting check be performed pre- or post-issuance?
3. When will the linting check be in place, and will it cover all
certificates issued under a Quovadis root?

Wayne

On Fri, Dec 22, 2017 at 1:54 PM, Stephen Davidson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Dec 21 at 1715 UST we received a problem report (below) by email to
> complia...@quovadisglobal.com from Alex Gaynor relating to a TLS/SSL
> certificate issued by Swiss Government Public Trust Standard CA 02, a
> technically constrained external CA operated by Bundesamt fuer Informatik
> und Telekommunikation (BIT).
>
> Specifically, a SAN in that certificate included a dNSName that ended with
> two \n characters:
> https://crt.sh/?id=282646337&opt=cablinthttps://crt.sh/?id=
> 282646337&opt=cablint
>
> The certificate was revoked by the CA on Dec 22 at 1125 UST.
>
> Upon investigation, the CA reports that the misissuance was the result of
> administrator error during the manual input of the SAN entry.  The
> misissuance will be reported to the CAs external auditors.  The CA has
> undertaken to add linting as part of the issuance of their TLS/SSL
> certificates.
>
> Thanks to Alex Gaynor for reporting the issue.
>
> Regards,
> Stephen Davidson
> QuoVadis, a WISeKey company
>
> --
>
> From: Alex Gaynor [mailto:agay...@mozilla.com]
> Sent: Thursday, December 21, 2017 1:15 PM
> To: Group - QuoVadis Compliance  complia...@quovadisglobal.com>>
> Subject: Misissued certificate
>
> Hi,
>
> I'm reporting a misissued certificate from one of your sub CAs:
> https://crt.sh/?id=282646337&opt=cablint
>
> Specifically, one of the dNSNames ends with two newline (\n) chracters,
> which are not valid is a DNS label.
>
> I am requesting you revoke this certificate and provide a post-mortem to
> MDSP.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Audit Reminder Email Summary

2018-01-04 Thread Kurt Roeckx via dev-security-policy

On 2018-01-04 01:36, Kathleen Wilson wrote:


Mozilla: Audit Reminder
Root Certificates:
    AC Raíz Certicámara S.A.
Standard Audit: https://cert.webtrust.org/SealFile?seal=2120&file=pdf
Audit Statement Date: 2016-09-15
CA Comments: null


The audit period of that is 2015-07-01 to 2016-04-30. They clearly 
overdue, instead of just a reminder.



Kurt
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy