Re: Certificates with subject locality "Default City"

2019-05-02 Thread Alex Cohn via dev-security-policy 
On Thu, May 2, 2019 at 3:45 PM Nick Lamb  wrote:
> Alex, you say you "came across" these certificates, do you think it is
> likely that there are many more, or was that in practice a fairly
> thorough search?


I've been adding certificates found in Censys scans to CT logs, and
happened to spot one of the kumamoto-u.ac.jp certs while reviewing my
logger's error logs. I then searched on Censys for certificates with
"Default City" as the locality, filtered out untrusted and expired
certificates, and deduplicated precertificates. There may well be
additional certificates out there (compiling the misissued.com batch
was a manual process, and I make mistakes) but I'd be surprised if
there were more than a handful.

Alex
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with subject locality "Default City"

2019-05-02 Thread Wayne Thayer via dev-security-policy 
Thank you for the report Alex. The following compliance bugs have been
created:

Sectigo: https://bugzilla.mozilla.org/show_bug.cgi?id=1548713
SECOM: https://bugzilla.mozilla.org/show_bug.cgi?id=1548714
DigiCert: https://bugzilla.mozilla.org/show_bug.cgi?id=1548716

- Wayne

On Thu, May 2, 2019 at 10:16 AM Alex Cohn via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Hi all,
>
> I came across a number of certificates issued by Sectigo, SECOM, and
> DigiCert that list "Default City" as the subject's locality. Unless there
> are actually localities named "Default City" that I'm unaware of, it seems
> to me this is a violation of the BRs, sections 3.2.2.1 and 7.1.4.2.2.e.
>
> I created a batch on misissued.com for these:
> https://misissued.com/batch/51/
>
> Alex
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with subject locality "Default City"

2019-05-02 Thread Nick Lamb via dev-security-policy 
On Thu, 2 May 2019 12:15:33 -0500
Alex Cohn via dev-security-policy
 wrote:

> I came across a number of certificates issued by Sectigo, SECOM, and
> DigiCert that list "Default City" as the subject's locality. Unless
> there are actually localities named "Default City" that I'm unaware
> of, it seems to me this is a violation of the BRs, sections 3.2.2.1
> and 7.1.4.2.2.e.

I agree with you that this isn't what is wanted by the BRs.

In terms of diagnostics, I would say that L="Default City" has ended up
in CSRs because it's the default in OpenSSL (which explains the
diversity of affected issuers and applicants). That's also going to
spill over into appliances that embed OpenSSL and where a CSR may be
the only way to do things because the designers quite reasonably don't
let you upload or download private keys.

Alex, you say you "came across" these certificates, do you think it is
likely that there are many more, or was that in practice a fairly
thorough search?


I do have some questions for CAs implicated here:

I assume that in each case the ultimate cause is that a human agent
accepted that this subject (with L=Default City, but in examples I saw
otherwise entirely normal) was correct, when it fact L=Default City
means it is incorrect. If I'm wrong about that, please let me know.
Some mistakes are inevitable, but what we do about them is important.

1. If a certificate issued this way was some day implicated in a serious
security incident, would you be able to identify the specific human
individual who made that decision - from existing records and in a
timely fashion ? This would make it possible for investigators to
question that person about their possible connection to the incident.

2. Does your process specifically allow any "slop" such as typographical
mismatches, additional or missing address lines and so on, beyond those
specifically enumerated in the BRs when matching a Subject address? Can
you say what sort of "slop" that is, and justify why it's permitted ? 


Presumably you have some process to validate that the human agents do a
good enough job. e.g. through sampling their work


3. Has any sampling or other validation ever brought any such "Default
City" CSRs to your attention previously ? How about other mistakes in
CSRs of this same sort, e.g. Default values, common non-existent
cities, countries, etcetera. If so please say briefly what you did
about them before.

4. Do you believe your agents would feel empowered to ask questions
about the process, that they genuinely understand what we're trying to
achieve and they feel they have the time and resources needed to do a
good job, so that what we're seeing here is the best we can reasonably
expect from human validators ?


Nick.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Certificates with subject locality "Default City"

2019-05-02 Thread Alex Cohn via dev-security-policy 
Hi all,

I came across a number of certificates issued by Sectigo, SECOM, and
DigiCert that list "Default City" as the subject's locality. Unless there
are actually localities named "Default City" that I'm unaware of, it seems
to me this is a violation of the BRs, sections 3.2.2.1 and 7.1.4.2.2.e.

I created a batch on misissued.com for these:
https://misissued.com/batch/51/

Alex
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy