Re: Miss-issuance: URI in dNSName SAN
> On Aug 17, 2017, at 07:19, ramirommunoz--- via dev-security-policy >wrote: > > https://crt.sh/?id=112929021=cablint > is a precertificate. You can see the CT Precertificate Poison critical > extention. The serial number of this certificate should still be added to the relevant CRL, as it is not possible to prove the non-existance of a corresponding certificate without the CT Poison extension. Jonathan ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
El jueves, 17 de agosto de 2017, 12:26:05 (UTC+2), ramiro...@gmail.com escribió: > El martes, 15 de agosto de 2017, 15:13:04 (UTC+2), Gervase Markham escribió: > > On 08/08/17 14:33, Alex Gaynor wrote: > > > Following up on this thread, 8 days ago I emailed Camerfirma, I have not > > > heard back from them, nor have they taken any action. What is the > > > appropriate next step here? > > > > I have emailed the primary Point of Contact at Camerfirma to enquire as > > to what is going on. > > > > Gerv > Hi Gev and Alex > > We have been trying to contact with our customer to replace the wrong > certificate otherwise we could block our customers services. We found > difficulties to reach the right person due to the holidays period. > > We have already revoke > - https://crt.sh/?id=5129200=cablint > - https://crt.sh/?id=42531587=cablint > and we are working on > - https://crt.sh/?id=112929021=cablint > We expect to be revoked along this day > > All of then are mistakes from the request form that are not been detected by > the AR operator. > > placing "http://; or "https://; in the domain name. > > We are going to improve control over the domain name entry form and report to > the AR operators. > > Best regards https://crt.sh/?id=112929021=cablint is a precertificate. You can see the CT Precertificate Poison critical extention. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
El martes, 15 de agosto de 2017, 15:13:04 (UTC+2), Gervase Markham escribió: > On 08/08/17 14:33, Alex Gaynor wrote: > > Following up on this thread, 8 days ago I emailed Camerfirma, I have not > > heard back from them, nor have they taken any action. What is the > > appropriate next step here? > > I have emailed the primary Point of Contact at Camerfirma to enquire as > to what is going on. > > Gerv Hi Gev and Alex We have been trying to contact with our customer to replace the wrong certificate otherwise we could block our customers services. We found difficulties to reach the right person due to the holidays period. We have already revoke - https://crt.sh/?id=5129200=cablint - https://crt.sh/?id=42531587=cablint and we are working on - https://crt.sh/?id=112929021=cablint We expect to be revoked along this day All of then are mistakes from the request form that are not been detected by the AR operator. placing "http://; or "https://; in the domain name. We are going to improve control over the domain name entry form and report to the AR operators. Best regards ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
On 08/08/17 14:33, Alex Gaynor wrote: > Following up on this thread, 8 days ago I emailed Camerfirma, I have not > heard back from them, nor have they taken any action. What is the > appropriate next step here? I have emailed the primary Point of Contact at Camerfirma to enquire as to what is going on. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
On 31/07/17 15:14, Alex Gaynor wrote: > So far I've encountered issues with: > > - DocuSign (OpenTrust/Keynectis) - who neglected to fill out that field > - StartCom - who filled out "web publication", I don't know what that means I have emailed both of these CAs to request that they provide this information. Once they have done so, you will be able to find the updated values in this live report: https://ccadb-public.secure.force.com/mozilla/CAInformationReport Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
Hi all, Following up on this thread, 8 days ago I emailed Camerfirma, I have not heard back from them, nor have they taken any action. What is the appropriate next step here? Alex On Mon, Jul 31, 2017 at 10:14 AM, Alex Gaynorwrote: > I've been attempting to report a bunch of miss-issued certificates this > weekend (hobbies are important!) I've primarily been using > https://ccadb-public.secure.force.com/mozillacommunications/ > CACommResponsesOnlyReport?CommunicationId=a05o03WrzBC= > Q00028 as my reference (without which I would be totally lost!) > > So far I've encountered issues with: > > - DocuSign (OpenTrust/Keynectis) - who neglected to fill out that field > - StartCom - who filled out "web publication", I don't know what that means > > To all the CAs who included a straightforward email or webform in there, > thank you! > > Alex > > On Mon, Jul 31, 2017 at 10:10 AM, Gervase Markham via dev-security-policy > wrote: > >> On 25/07/17 18:13, Jeremy Rowley wrote: >> > I would also love to see a more standardized notice mechanism that is >> > universal to all CAs. Right now, notifying CAs is a pain as some have >> > different webforms, some use email, and some don't readily tell you how >> to >> > contact them about certificate problems. >> >> "Not readily telling" is a BR violation; if you come across a CA like >> that, please do let us know. The info should be in the CCADB and in the >> CAs report. >> >> I agree it would be nice to have something more standard, but we have >> what we have right now. >> >> Gerv >> ___ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
On 25/07/17 18:13, Jeremy Rowley wrote: > I would also love to see a more standardized notice mechanism that is > universal to all CAs. Right now, notifying CAs is a pain as some have > different webforms, some use email, and some don't readily tell you how to > contact them about certificate problems. "Not readily telling" is a BR violation; if you come across a CA like that, please do let us know. The info should be in the CCADB and in the CAs report. I agree it would be nice to have something more standard, but we have what we have right now. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Miss-issuance: URI in dNSName SAN
Each CA is required (under the BRs) to provide public information on how to submit certificate problem reports, including mis-issued certificates. The only way to properly notify the CA is through that mechanism as those are monitored 24 hours. CAs participating on the list usually have a couple of reps who monitor and participate, but not 24x7. I do agree there should be penalties for missing the 24 hour requirement to give the BRs a bit more teeth, but those penalties should be based on the proper notice process being followed. I would also love to see a more standardized notice mechanism that is universal to all CAs. Right now, notifying CAs is a pain as some have different webforms, some use email, and some don't readily tell you how to contact them about certificate problems. Jeremy -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Alex Gaynor via dev-security-policy Sent: Tuesday, July 25, 2017 10:58 AM To: Alex Gaynor <alex.gay...@gmail.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Miss-issuance: URI in dNSName SAN Following up on this (and really several other threads). The BRs require mis-issued certs to be revoked with 24 hours of the CA becoming aware. CAs are required to track m.d.s.p. per the Mozilla Root Policy, so really notifying this list _ought_ to qualify as notifying the CAs. In any event, here are some certificates, by CA, that have been mis-issued and linked on this list many days ago at this point: PSCProcert - https://crt.sh/?id=124094761 - dNSName is a URI PSCProcert - https://crt.sh/?id=175466182 - dNSName is for a .local domain Camerfirma AAPP II - 2014 - https://crt.sh/?id=42531587 - dNSName is a URI AC CAMERFIRMA AAPP - https://crt.sh/?id=5129200 - dNSName is a URI StartCom Class 2 Primary Intermediate Server CA - https://crt.sh/?id=10714112 - incorrect wildcard "*g10.net-lab.net" StartCom Class 3 OV Server CA - https://crt.sh/?id=17295812 - incorrect wildcard "*dev02.calendar42.com" StartCom Class 1 DV Server CA - https://crt.sh/?id=78248795 - invalid dNSName "-1ccenter.777chao.com" TI Trust Technologies Global CA - https://crt.sh/?id=48682944 - invalid wildcard "*nuvolaitaliana.it" UniCredit Subordinate External - https://crt.sh/?id=44997156 - invalid wildcard "*.*.rnd.unicredit.it" Swisscom Smaragd CA 2 - https://crt.sh/?id=5982951 - invalid wildcard "*.*. int.swisscom.ch" Swisscom Smaragd CA 2 - https://crt.sh/?id=175444569 - dNSName is for a .local domain Verizon Public SureServer CA G14-SHA2 - https://crt.sh/?id=33626750 - dNSName is for a .test domain Verizon Public SureServer CA G14-SHA2 - https://crt.sh/?id=12344381 - dNSName is for a .local domain CLASS 2 KEYNECTIS CA - https://crt.sh/?id=42475510 - dNSName is for a .corp domain EC-SectorPublic - https://crt.sh/?id=98706307 - dNSName is for a .local domain Should there be some penalty for the failure of CAs to revoke within the time period required by the BRs? Alex On Sat, Jul 22, 2017 at 10:11 AM, alex.gaynor--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > It has now been several days, does Camerafirma intend to revoke these > certificates, as required by the BRs (within 24 hours of being notified)? > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
On Tue, Jul 25, 2017 at 12:57:44PM -0400, Alex Gaynor via dev-security-policy wrote: > Following up on this (and really several other threads). The BRs require > mis-issued certs to be revoked with 24 hours of the CA becoming aware. CAs > are required to track m.d.s.p. per the Mozilla Root Policy, so really > notifying this list _ought_ to qualify as notifying the CAs. I think requests for revocation should be done using the contact information they provided to do that. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
Following up on this (and really several other threads). The BRs require mis-issued certs to be revoked with 24 hours of the CA becoming aware. CAs are required to track m.d.s.p. per the Mozilla Root Policy, so really notifying this list _ought_ to qualify as notifying the CAs. In any event, here are some certificates, by CA, that have been mis-issued and linked on this list many days ago at this point: PSCProcert - https://crt.sh/?id=124094761 - dNSName is a URI PSCProcert - https://crt.sh/?id=175466182 - dNSName is for a .local domain Camerfirma AAPP II - 2014 - https://crt.sh/?id=42531587 - dNSName is a URI AC CAMERFIRMA AAPP - https://crt.sh/?id=5129200 - dNSName is a URI StartCom Class 2 Primary Intermediate Server CA - https://crt.sh/?id=10714112 - incorrect wildcard "*g10.net-lab.net" StartCom Class 3 OV Server CA - https://crt.sh/?id=17295812 - incorrect wildcard "*dev02.calendar42.com" StartCom Class 1 DV Server CA - https://crt.sh/?id=78248795 - invalid dNSName "-1ccenter.777chao.com" TI Trust Technologies Global CA - https://crt.sh/?id=48682944 - invalid wildcard "*nuvolaitaliana.it" UniCredit Subordinate External - https://crt.sh/?id=44997156 - invalid wildcard "*.*.rnd.unicredit.it" Swisscom Smaragd CA 2 - https://crt.sh/?id=5982951 - invalid wildcard "*.*. int.swisscom.ch" Swisscom Smaragd CA 2 - https://crt.sh/?id=175444569 - dNSName is for a .local domain Verizon Public SureServer CA G14-SHA2 - https://crt.sh/?id=33626750 - dNSName is for a .test domain Verizon Public SureServer CA G14-SHA2 - https://crt.sh/?id=12344381 - dNSName is for a .local domain CLASS 2 KEYNECTIS CA - https://crt.sh/?id=42475510 - dNSName is for a .corp domain EC-SectorPublic - https://crt.sh/?id=98706307 - dNSName is for a .local domain Should there be some penalty for the failure of CAs to revoke within the time period required by the BRs? Alex On Sat, Jul 22, 2017 at 10:11 AM, alex.gaynor--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > It has now been several days, does Camerafirma intend to revoke these > certificates, as required by the BRs (within 24 hours of being notified)? > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
On Fri, Jul 21, 2017 at 4:04 AM ramirommunoz--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > El jueves, 20 de julio de 2017, 16:49:15 (UTC+2), Gervase Markham > escribió: > > On 19/07/17 14:53, Alex Gaynor wrote: > > > I'd like to report the following instance of miss-issuance: > > > > Thank you. Again, I have drawn this message to the attention of the CAs > > concerned (Government of Venezuela and Camerfirma). > > > > Gerv > > Hi all > > Regarding Camerfirma certificates, we have follow the rules imposed by the > local public administration to regulate the profile of several > certificates. SSL certificates for public administration websites included. > There is a entry in cabforum where this issue is described > https://cabforum.org/pipermail/public/2016-June/007896.html. > New eIDAS regulation has forced to Spanish Administration to fix this > problem so from now on we can issue certificate that fully fulfil the > cabforum rules. > AC Camerfirma will offer to our public administration customers to renew > the SSL certificates with our new eIDAS 2016 CAs. Could you point where the regulation require(s/d) the CN and SAN (in type dNSName) contain a URI? The past discussion was in context of additional SAN types not permitted by the BRs, but the issue highlighted in this thread is clear violation of RFC 5280 semantics, and it is difficult to believe that was encompassed by Camerafirma's previous disclosure. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
El jueves, 20 de julio de 2017, 16:49:15 (UTC+2), Gervase Markham escribió: > On 19/07/17 14:53, Alex Gaynor wrote: > > I'd like to report the following instance of miss-issuance: > > Thank you. Again, I have drawn this message to the attention of the CAs > concerned (Government of Venezuela and Camerfirma). > > Gerv Hi all Regarding Camerfirma certificates, we have follow the rules imposed by the local public administration to regulate the profile of several certificates. SSL certificates for public administration websites included. There is a entry in cabforum where this issue is described https://cabforum.org/pipermail/public/2016-June/007896.html. New eIDAS regulation has forced to Spanish Administration to fix this problem so from now on we can issue certificate that fully fulfil the cabforum rules. AC Camerfirma will offer to our public administration customers to renew the SSL certificates with our new eIDAS 2016 CAs. Best regards. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Miss-issuance: URI in dNSName SAN
On 19/07/17 14:53, Alex Gaynor wrote: > I'd like to report the following instance of miss-issuance: Thank you. Again, I have drawn this message to the attention of the CAs concerned (Government of Venezuela and Camerfirma). Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy