Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

FYI: Concerns about IPS SERVIDORES root certificate

2 views

Skip to first unread message

Kathleen Wilson

unread,

Oct 21, 2009, 2:53:36 PM10/21/09

This posting is for informational purposes only. Any follow-up should
be posted in the mozilla.dev.security.policy newsgroup in the
discussion thread called “Resolving concerns about the IPS SERVIDORES
root certificate”.

There have recently been some issues in regards to the following root
certificate owned by IPS:

OU = Certificaciones
O = IPS Seguridad CA
CN = IPS SERVIDORES
Valid From: 1998 Jan 01
Valid To: 2009 Dec 29
Key length: 1024
Signature Algorithm: MD5

The problems of note are:
1) Issuance of embedded-null certificates
2) OCSP responder not working
3) Issuing certificates with validity after the root expires

As a result, Mozilla has requested that IPS take the following
actions:
1) Provide an OCSP server which is alive and responding properly to
requests again.
2) Provide information about the steps IPS has taken to ensure that
revocation information continues to be available.
3) Provide information about the steps IPS has taken to ensure that no
new embedded-null certificates are issued.
4) Provide an explanation of why IPS is issuing certs from this root
that have a longer lifespan than the root.
5) Provide a timeline for a new audit against these revised practices.

Due to the serious nature of recent events, Mozilla has requested that
the action items be completed by the end of October 2009. If the
action items are not completed within this timeframe, Mozilla plans to
turn off the trust bits for this root (essentially disabling it). If
the action items are completed within this timeframe to a level which
alleviates the current concerns, then the trust bits for this root
will not be changed.

The action items are being tracked in the following bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=523652

If you would like to contribute to this discussion, please post your
response in the mozilla.dev.security.policy newsgroup in the
discussion thread called “Resolving concerns about the IPS SERVIDORES
root certificate”.

Kathleen

Frank Hecker

unread,

Oct 21, 2009, 6:52:52 PM10/21/09

Kathleen Wilson wrote:
> This posting is for informational purposes only. Any follow-up should
> be posted in the mozilla.dev.security.policy newsgroup in the

> discussion thread called ï¿½Resolving concerns about the IPS SERVIDORES
> root certificateï¿½.

>
> There have recently been some issues in regards to the following root
> certificate owned by IPS:

Note that we asked Kathleen to post a link to this in mozilla.governance
because this is the first time we've gone this far in terms of actively
contemplating removing or disabling a CA's root certificate. As Kathleen
notes, mozilla.dev.security.policy is the forum where these sorts of
issues will be discussed in future.

Frank

--
Frank Hecker
hec...@mozillafoundation.org

0 new messages