info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Fwd: [cabfpub] Public disclosure of 68 GlobalSign SSL certificates issued without EKU or KU
224 views
Skip to first unread message
Richard Wang
Sep 23, 2016, 8:57:12 PM9/23/16
to mozilla-dev-s...@lists.mozilla.org
This is the recent incident from GlobalSign.
Please notice WoSign incident is occurred in 2015 for free DV SSL, not OV or EV.
Best Regards,
Richard
Begin forwarded message:
From: Doug Beattie <doug.b...@globalsign.com<mailto:doug.b...@globalsign.com>>
Date: September 21, 2016 at 04:48:00 GMT+8
To: CABFPub <pub...@cabforum.org<mailto:pub...@cabforum.org>>
Subject: [cabfpub] Public disclosure of 68 GlobalSign SSL certificates issued without EKU or KU
Following a recent code update to our GlobalSign Certificate Centre (GCC) platform, we have discovered a bug which manifests itself when orders are re-issued with modified domains within the Subject Alternative Name field of the certificate. When users added or removed SANs in their OV or EV certificate between 29 August and 19 September the resulting certificates did not contain the Key Usage (KU) or Extended Keu Usage (EKU) extensions. KU is optional according to the BRs, but EKU is mandatory. All certificates contained Basic Constraints.
The issue was identified on Friday and the system patched Friday night. Customers in the western region were notified Friday afternoon and those in APAC and Japan on Monday and Tuesday (Monday was a holiday in Japan). The support team was in contact with impacted customers Monday and Tuesday to follow up and recommend they reissue the certificate and revoke the one containing the issue. Those that could not be contacted had their certificates revoked by the GlobalSIgn vetting team.
Currently, all but 1 certificate has been revoked. The one remaining will be revoked with the next 24 hours and belongs to a high profile site in Japan who, due to the timing of the issue, needs another day.
We have verified that in total 68 certificates were affected. 4 of these are EV and 64 OV. The risk to the community and to our other customers is therefore low as we have existing relationships with all customers and have vetted them to a higher level of confidence to issue the original certificate in the first place, although obviously the inconvenience on both sides is not welcome.
We’re putting new systems in place to parse issued certificates for compliance with the BRs which will catch any future certificate content issues more quickly.
For more information and the list of certificates, see the Mozilla bug filed earlier today: https://bugzilla.mozilla.org/show_bug.cgi?id=1304089
Regards,
Doug
_______________________________________________
Public mailing list
Pub...@cabforum.org<mailto:Pub...@cabforum.org>
https://cabforum.org/mailman/listinfo/public
Please notice WoSign incident is occurred in 2015 for free DV SSL, not OV or EV.
Best Regards,
Richard
Begin forwarded message:
From: Doug Beattie <doug.b...@globalsign.com<mailto:doug.b...@globalsign.com>>
Date: September 21, 2016 at 04:48:00 GMT+8
To: CABFPub <pub...@cabforum.org<mailto:pub...@cabforum.org>>
Subject: [cabfpub] Public disclosure of 68 GlobalSign SSL certificates issued without EKU or KU
Following a recent code update to our GlobalSign Certificate Centre (GCC) platform, we have discovered a bug which manifests itself when orders are re-issued with modified domains within the Subject Alternative Name field of the certificate. When users added or removed SANs in their OV or EV certificate between 29 August and 19 September the resulting certificates did not contain the Key Usage (KU) or Extended Keu Usage (EKU) extensions. KU is optional according to the BRs, but EKU is mandatory. All certificates contained Basic Constraints.
The issue was identified on Friday and the system patched Friday night. Customers in the western region were notified Friday afternoon and those in APAC and Japan on Monday and Tuesday (Monday was a holiday in Japan). The support team was in contact with impacted customers Monday and Tuesday to follow up and recommend they reissue the certificate and revoke the one containing the issue. Those that could not be contacted had their certificates revoked by the GlobalSIgn vetting team.
Currently, all but 1 certificate has been revoked. The one remaining will be revoked with the next 24 hours and belongs to a high profile site in Japan who, due to the timing of the issue, needs another day.
We have verified that in total 68 certificates were affected. 4 of these are EV and 64 OV. The risk to the community and to our other customers is therefore low as we have existing relationships with all customers and have vetted them to a higher level of confidence to issue the original certificate in the first place, although obviously the inconvenience on both sides is not welcome.
We’re putting new systems in place to parse issued certificates for compliance with the BRs which will catch any future certificate content issues more quickly.
For more information and the list of certificates, see the Mozilla bug filed earlier today: https://bugzilla.mozilla.org/show_bug.cgi?id=1304089
Regards,
Doug
_______________________________________________
Public mailing list
Pub...@cabforum.org<mailto:Pub...@cabforum.org>
https://cabforum.org/mailman/listinfo/public
0 new messages