Confirmed users, Administrators
5,526
edits
CA/Certinomis Issues: Difference between revisions
m
Removed protection from "CA/Certinomis Issues"
(→Issue A: StartCom Cross-signing (2017): Added response Startcom Issues) |
m (Removed protection from "CA/Certinomis Issues") |
||
| (8 intermediate revisions by 4 users not shown) | |||
| Line 9: | Line 9: | ||
[UPDATE 9-May in reply to the [[CA/Certinomis_Issues#Certinomis_Response|Certinomis Response]]] | [UPDATE 9-May in reply to the [[CA/Certinomis_Issues#Certinomis_Response|Certinomis Response]]] | ||
Certinomis asked Mozilla to approve their plan to help Startcom, but when the cross-certificates were discovered, [https://groups.google.com/d/msg/mozilla.dev.security.policy/RJHPWUd93xE/lyAX9Wz_AQAJ Gerv responded] "This seems to be very different to the plan you implemented." By cross-signing Startcom's | Certinomis asked Mozilla to approve their plan to help Startcom, but when the cross-certificates were discovered, [https://groups.google.com/d/msg/mozilla.dev.security.policy/RJHPWUd93xE/lyAX9Wz_AQAJ Gerv responded] "This seems to be very different to the plan you implemented." By cross-signing Startcom's new roots, Certinomis assisted Startcom in circumventing the remediation plan, and by proposing one plan then implementing a different one, Certinomis did so without Mozilla's consent. | ||
Startcom misissued a number of certificates ( | Startcom misissued a number of certificates ([https://crt.sh/?opt=cablint&id=160150786 example]) under that cross-signing relationship that Certinomis is responsible for as the Mozilla program member. | ||
By cross-signing Startcom's roots, Certinomis also took responsibility for Startcom's qualified audit. | By cross-signing Startcom's roots, Certinomis also took responsibility for Startcom's qualified audit. | ||
=== Issue B: Lack of Responsiveness (2018 - Present) === | === Issue B: Lack of Responsiveness (2018 - Present) === | ||
In a 2017 misissuance bug, | In a 2017 misissuance bug, Certinomis was [https://bugzilla.mozilla.org/show_bug.cgi?id=1390978#c19 called out for letting more than a month pass without providing a timeline for complying with the BRs]. | ||
| Line 44: | Line 44: | ||
[CERTINOMIS RESPONSE] On 6-May, 2019, Certinomis stated that pre issuance linting is now operational. | [CERTINOMIS RESPONSE] On 6-May, 2019, Certinomis [https://bugzilla.mozilla.org/show_bug.cgi?id=1539531#c8 stated that pre-issuance linting is now operational]. | ||
==== Issue F.1: SANs ==== | ==== Issue F.1: SANs ==== | ||
| Line 105: | Line 105: | ||
''I understand that this new feature has been developped and not yet used in production, and that a human validation error has been made by an RA operator confused by the fact that the organisation was "COMMUNE LE CANNET" and by the fact that the applicant made also an error in the CSR containing a '-' instead of a '.' to separate the domain name in the FQDN (mediatheque-lecannet.fr instead of mediatheque.lecannet.fr).'' | ''I understand that this new feature has been developped and not yet used in production, and that a human validation error has been made by an RA operator confused by the fact that the organisation was "COMMUNE LE CANNET" and by the fact that the applicant made also an error in the CSR containing a '-' instead of a '.' to separate the domain name in the FQDN (mediatheque-lecannet.fr instead of mediatheque.lecannet.fr).'' | ||
Certinomis later provided a [https://bugzilla.mozilla.org/show_bug.cgi?id=1547072#c6 detailed description] of their domain validation processes. | |||
=== Certinomis Response === | === Certinomis Response === | ||
The following response to all of the issues listed herein was posted to the mozilla.dev.security.policy discussion list on 9 | The following response to all of the issues listed herein [https://groups.google.com/d/msg/mozilla.dev.security.policy/rmU311hOIIc/UiLZU1gDBQAJ was posted to the mozilla.dev.security.policy discussion list] on May 9: | ||
Dear All, | Dear All, | ||