On Tue, Feb 28, 2017 at 12:02 PM, douglas.beattie--- via
dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Ryan,
>
> GlobalSign certificate issuance has been referenced in several different
> threads recently and I think most of them are closed; however, if you feel
> otherwise, let me know.
>
Hi Doug,
Right, I realize there were several threads - You've addressed some of the
scenarios for both Incapsula and the test certificates - however, I haven't
seen an explanation as to how the spaces were introduced into these SANs,
the scope of how many GlobalSign certs this affected, how long the duration
of affect was, and what GlobalSign is doing to correct that.
While I understand you plan to reach out to Vietnam Airlines regarding this
specific cert, it's understanding both the root cause and the steps
GlobalSign is taking to redress those that I think are relevant here.
> And lastly this ticket. The Domain name was validated in accordance with
> the BRs, but there was a bug that allowed a user entered space to be
> included in some of the SAN values. While the value is not compliant with
> RFC 5280 or the BRs, there was no security issue with the certificate that
> was issued (it was likely not able to secure the intended subdomains).
> We'll provide an incident report for this.
>
> If this isn't sufficient for some reason, I'm sure you will let us know.
Right, I think an incident report on this would be useful. I think I would
be quite cautious to suggest "there is no security issue with the
certificate that was issued" - I think many a CA would have said that about
encoding, say, a null byte (\0) within a SAN, prior to realizing the issues.
For example, as a systemic issue, it seems this suggests that GlobalSign
does not validate what appears in the SAN, so long as the validated domain
appears within it. This could range from a SERIOUS security issue (for
example, if GlobalSign's systems are themselves not robust against NULL
bytes) to a benign one. Understanding the root cause, scope, and
remediation plans is useful here to assure the relying parties of
GlobalSign's committment to security.