Jeremy filed the following incident report at
https://bugzilla.mozilla.org/show_bug.cgi?id=1447192 :
1. How your CA first became aware of the problem (e.g. via a problem
report submitted to your Problem Reporting Mechanism, via a discussion
in mozilla.dev.security.policy, or via a Bugzilla bug), and the date.
We received an email from Alex Cohen on March 9, 2018. It was posted
to the Mozilla list the next day
2. A timeline of the actions your CA took in response.
a) 3/9/3018- Received an email from Alex cohen about the impacted certificates
b) 3/10/2018 - Revoked the certificates
c) 3/12/2018- Scanned database for any additional certificates. All
identified certificates were revoked
d) 3/12/2018 - Alex posted information to Mozilla list, and Jeremy
responded on what happened.
e) 3/14/2018 - Added error handling to detect when a tor descriptor is missing
Still to do: Add error handling to check that the cert has sufficient
tor descriptors - 1 per onion name.
3. Confirmation that your CA has stopped issuing TLS/SSL certificates
with the problem.
DigiCert has stopped issuing onion certs that lack a descriptor
4. A summary of the problematic certificates. For each problem:
number of certs, and the date the first and last certs with that
problem were issued.
20 certificates, all logged to CT, ranging from Oct 2017 to Mar 2018
5. The complete certificate data for the problematic certificates.
The recommended way to provide this is to ensure each certificate is
logged to CT and then list the fingerprints or crt.sh IDs, either in
the report or as an attached spreadsheet, with one list per distinct
problem.
https://crt.sh/?q=240277340 (revoked 26 October
2017)
https://crt.sh/?q=261570255https://crt.sh/?q=261570338https://crt.sh/?q=261570380https://crt.sh/?q=261570384https://crt.sh/?q=261579788https://crt.sh/?q=261601212https://crt.sh/?q=261601280https://crt.sh/?q=261601281https://crt.sh/?q=261601284https://crt.sh/?q=261988060https://crt.sh/?q=326491168https://crt.sh/?q=326830043https://crt.sh/?q=328308725https://crt.sh/?q=328961187https://crt.sh/?q=329559222https://crt.sh/?q=330180704https://crt.sh/?q=351449233https://crt.sh/?id=351449246
6. Explanation about how and why the mistakes were made or bugs
introduced, and how they avoided detection until now.
> Looking into this, we did not correctly implement the ballot:
> 1. We didn't add a check to our backend system too verify the cert
> included a descriptor prior to issuance.
> 2. On the front end, we missed requiring a Tor descriptor prior to
> processing the order.
> 3. The validation team received insufficient training on the Tor
> descriptor requirement.
In reality, the issue was too much reliance on the human component of
asserting the Tor descriptors instead of having a technical control in
place. We have a central system that manages compliance. The checks
for onion certs were never added to this system. They exist now but
only to ensure a tor descriptor exists. We are still working on adding
checks to ensure at least one descriptor exists for each onion name.
7. List of steps your CA is taking to resolve the situation and
ensure such issuance will not be repeated in the future, accompanied
with a timeline of when your CA expects to accomplish these things.
We revoked the certificates and added preliminary checking for Tor
descriptors. We are adding additional checks to ensure certs cannot
issue without them.
On Mon, Mar 19, 2018 at 5:38 PM, Jeremy Rowley via dev-security-policy <