Confirmed users, Administrators
5,526
edits
CA/Certinomis Issues: Difference between revisions
m
Removed protection from "CA/Certinomis Issues"
(→Certinomis Response: Action 1 formatting fix) |
m (Removed protection from "CA/Certinomis Issues") |
||
| (9 intermediate revisions by 4 users not shown) | |||
| Line 6: | Line 6: | ||
=== Issue A: StartCom Cross-signing (2017) === | === Issue A: StartCom Cross-signing (2017) === | ||
In 2017, Certinomis made the decision to sign two new intermediate CA certificates that were controlled by StartCom. This was at a time when [https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 StartCom had been recently distrusted] and was [https://groups.google.com/d/msg/mozilla.dev.security.policy/hNOJJrN6WfE/5i46-wV5AAAJ misissuing test certificates from this new, replacement hierarchy]. These cross-certificates were not disclosed until 111 days after being issued (the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited current one-week rule] was not in force), and were issued prior to StartCom having completed new, successful audits that were required by their [https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 remediation plan] before they could request reinclusion. The Certinomis cross-certificates were ultimately [https://groups.google.com/d/msg/mozilla.dev.security.policy/RJHPWUd93xE/6yhrL4nXAAAJ added to OneCRL and revoked by Certinomis]. | In 2017, Certinomis made the decision to sign two new intermediate CA certificates that were controlled by StartCom. This was at a time when [https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 StartCom had been recently distrusted] and was [https://groups.google.com/d/msg/mozilla.dev.security.policy/hNOJJrN6WfE/5i46-wV5AAAJ misissuing test certificates from this new, replacement hierarchy]. These cross-certificates were not disclosed until 111 days after being issued (the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited current one-week rule] was not in force), and were issued prior to StartCom having completed new, successful audits that were required by their [https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 remediation plan] before they could request reinclusion. The Certinomis cross-certificates were ultimately [https://groups.google.com/d/msg/mozilla.dev.security.policy/RJHPWUd93xE/6yhrL4nXAAAJ added to OneCRL and revoked by Certinomis]. | ||
[UPDATE 9-May in reply to the [[CA/Certinomis_Issues#Certinomis_Response|Certinomis Response]]] | |||
Certinomis asked Mozilla to approve their plan to help Startcom, but when the cross-certificates were discovered, [https://groups.google.com/d/msg/mozilla.dev.security.policy/RJHPWUd93xE/lyAX9Wz_AQAJ Gerv responded] "This seems to be very different to the plan you implemented." By cross-signing Startcom's new roots, Certinomis assisted Startcom in circumventing the remediation plan, and by proposing one plan then implementing a different one, Certinomis did so without Mozilla's consent. | |||
Startcom misissued a number of certificates ([https://crt.sh/?opt=cablint&id=160150786 example]) under that cross-signing relationship that Certinomis is responsible for as the Mozilla program member. | |||
By cross-signing Startcom's roots, Certinomis also took responsibility for Startcom's qualified audit. | |||
=== Issue B: Lack of Responsiveness (2018 - Present) === | === Issue B: Lack of Responsiveness (2018 - Present) === | ||
In a 2017 misissuance bug, | In a 2017 misissuance bug, Certinomis was [https://bugzilla.mozilla.org/show_bug.cgi?id=1390978#c19 called out for letting more than a month pass without providing a timeline for complying with the BRs]. | ||
| Line 36: | Line 44: | ||
[CERTINOMIS RESPONSE] On 6-May, 2019, Certinomis stated that pre issuance linting is now operational. | [CERTINOMIS RESPONSE] On 6-May, 2019, Certinomis [https://bugzilla.mozilla.org/show_bug.cgi?id=1539531#c8 stated that pre-issuance linting is now operational]. | ||
==== Issue F.1: SANs ==== | ==== Issue F.1: SANs ==== | ||
| Line 97: | Line 105: | ||
''I understand that this new feature has been developped and not yet used in production, and that a human validation error has been made by an RA operator confused by the fact that the organisation was "COMMUNE LE CANNET" and by the fact that the applicant made also an error in the CSR containing a '-' instead of a '.' to separate the domain name in the FQDN (mediatheque-lecannet.fr instead of mediatheque.lecannet.fr).'' | ''I understand that this new feature has been developped and not yet used in production, and that a human validation error has been made by an RA operator confused by the fact that the organisation was "COMMUNE LE CANNET" and by the fact that the applicant made also an error in the CSR containing a '-' instead of a '.' to separate the domain name in the FQDN (mediatheque-lecannet.fr instead of mediatheque.lecannet.fr).'' | ||
Certinomis later provided a [https://bugzilla.mozilla.org/show_bug.cgi?id=1547072#c6 detailed description] of their domain validation processes. | |||
=== Certinomis Response === | === Certinomis Response === | ||
The following response to all of the issues listed herein was posted to the mozilla.dev.security.policy discussion list on 9 | The following response to all of the issues listed herein [https://groups.google.com/d/msg/mozilla.dev.security.policy/rmU311hOIIc/UiLZU1gDBQAJ was posted to the mozilla.dev.security.policy discussion list] on May 9: | ||
Dear All, | Dear All, | ||