comment on Entrust_Issues wiki page

[Mike Shaver]

The page lists the following issue:

“

5. EV Certificate missing Issuer’s EV Policy OID -

https://bugzilla.mozilla.org/show_bug.cgi?id=1888714

Entrust issued 1,963 EV TLS certificates September 11-22, 2023, without including an EV TLS CP OID. Root Causes were the misinterpretation of the EV Guidelines and the TLS BRs and a failure to recognize the overriding requirements of the EV Guidelines. (A misinterpretation of standards led to non-compliant certificates, and linting failed to detect the issue.) As remediation, since April 11, 2024, Entrust has used pkilint as a post-issuance linter to detect similar issues. (Mis-issued certificates are a subset of the certificates disclosed and being revoked under bug #1883843. Status of revocation is listed in bug #1886532.) 

Issues: Misinterpretation of Requirements; Policy/Procedure Failure; Certificate Mis-issuance”

In my opinion it should also list that Entrust promised to provide a full list of affected certs and an incident report by April 5th, and continued to comment in the bug, but did not post that list or the IR until April 10th. No comment was made about a delay, or the reason that it was necessary.

Mike

[Ben Wilson]

All,

I hadn't announced this page yet, hoping to reference it in an email currently undergoing internal review. But thanks for your comment.

I'll see about posting the email as soon as I can.

Thanks,

Ben

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqsbubH8_7-NNxC7E7FbV%2BCqBPF%3DaYR2GseNCjy1mqEXHA%40mail.gmail.com.