info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Fwd: Invalid Country Code Issuance
147 views
Skip to first unread message
Wayne Thayer
Jun 1, 2018, 6:29:14 PM6/1/18
to mozilla-dev-security-policy
Forwarding this for Brenda because the list's SPAM filter is preventing her
from posting it:
*From:* Brenda Bernal <brenda...@digicert.com>
*Date:* June 1, 2018 at 1:33:46 PM PDT
*To:* <dev-secur...@lists.mozilla.org>
*Subject:* *Invalid Country Code Issuance*
Digicert has posted a bug (below) on our invalid country code issuance.
Wayne requested us to post for forum visibility.
1. How your CA first became aware of the problem (e.g. via a
problem report submitted to your Problem Reporting Mechanism, a
discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal
self-audit), and the time and date.
The Product team discovered on 2018-05-17 that we had certificates in
our system that were issued from two incorrect Country codes, AN and
XK, as they were addressing a revalidation question.
2. A timeline of the actions your CA took in response. A timeline
is a date-and-time-stamped sequence of all relevant events. This may
include events before the incident was reported, such as when a
particular requirement became applicable, or a document changed, or a
bug was introduced, or an audit was done.
2018/05/17 7:30 AM MT - Certificates were discovered via
internal forum discussion
2018/05/17 4:16 PM MT - Certificates were confirmed by
Engineering Manager with AN and XK country codes
2018/5/18 5:01 PM MT - 'AN' ISO country code removed from CA
2018/05/25 1:09 PM MT -'XK' ISO country code removed from CA
3. Whether your CA has stopped, or has not yet stopped, issuing
certificates with the problem. A statement that you have will be
considered a pledge to the community; a statement that you have not
requires an explanation.
We have stopped issuing certificates using these country codes at the
CA level through code changes as indicated in 2) above.
4. A summary of the problematic certificates. For each problem:
number of certs, and the date the first and last certs with that
problem were issued.
7 certs associated with AN country code and 10 certs associated with
XK country code
"XK" country code first issued was 2016/12/06 AND last issued was 2018/5/15
"AN" country code first issued was 2015/08/25 AND last issued was 2018/3/13
Here’s the link to the
bug:https://bugzilla.mozilla.org/show_bug.cgi?id=1465600 for the
crt.sh links to the certificates.
5. The complete certificate data for the problematic certificates.
The recommended way to provide this is to ensure each certificate is
logged to CT and then list the fingerprints or crt.sh IDs, either in
the report or as an attached spreadsheet, with one list per distinct
problem.
We will provide when CT logs are updated.
6. Explanation about how and why the mistakes were made or bugs
introduced, and how they avoided detection until now.
a. There was no product team in 2012 when the Baseline Requirement
requiring the use of ISO country codes was passed. At the time, an
engineer checked the ISO codes, and "AN" was still in transitionary
state, while "XK" was included as a user-assigned value. It wasn't
clear to that engineer, at that time, that it wasn't officially
accepted by the ISO standards, and was allowed in error. We have
updated our list to exclude user codes.
b. The "AN" country code was a previously admissible country code
by ISO standards. It was removed transitionally on 2011/12/15, which
meant it could be used for 5 years while the new codes were adopted.
However, it wasn't removed from our database as an allowed value in
2016, due to the lack of a product group and oversight. Product
oversight has been established. We have an amended process in place
to thoroughly review all ballot impact with subsequent baseline
requirement changes that will need to be reflected in software and
operational procedures.
from posting it:
*From:* Brenda Bernal <brenda...@digicert.com>
*Date:* June 1, 2018 at 1:33:46 PM PDT
*To:* <dev-secur...@lists.mozilla.org>
*Subject:* *Invalid Country Code Issuance*
Digicert has posted a bug (below) on our invalid country code issuance.
Wayne requested us to post for forum visibility.
1. How your CA first became aware of the problem (e.g. via a
problem report submitted to your Problem Reporting Mechanism, a
discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal
self-audit), and the time and date.
The Product team discovered on 2018-05-17 that we had certificates in
our system that were issued from two incorrect Country codes, AN and
XK, as they were addressing a revalidation question.
2. A timeline of the actions your CA took in response. A timeline
is a date-and-time-stamped sequence of all relevant events. This may
include events before the incident was reported, such as when a
particular requirement became applicable, or a document changed, or a
bug was introduced, or an audit was done.
2018/05/17 7:30 AM MT - Certificates were discovered via
internal forum discussion
2018/05/17 4:16 PM MT - Certificates were confirmed by
Engineering Manager with AN and XK country codes
2018/5/18 5:01 PM MT - 'AN' ISO country code removed from CA
2018/05/25 1:09 PM MT -'XK' ISO country code removed from CA
3. Whether your CA has stopped, or has not yet stopped, issuing
certificates with the problem. A statement that you have will be
considered a pledge to the community; a statement that you have not
requires an explanation.
We have stopped issuing certificates using these country codes at the
CA level through code changes as indicated in 2) above.
4. A summary of the problematic certificates. For each problem:
number of certs, and the date the first and last certs with that
problem were issued.
7 certs associated with AN country code and 10 certs associated with
XK country code
"XK" country code first issued was 2016/12/06 AND last issued was 2018/5/15
"AN" country code first issued was 2015/08/25 AND last issued was 2018/3/13
Here’s the link to the
bug:https://bugzilla.mozilla.org/show_bug.cgi?id=1465600 for the
crt.sh links to the certificates.
5. The complete certificate data for the problematic certificates.
The recommended way to provide this is to ensure each certificate is
logged to CT and then list the fingerprints or crt.sh IDs, either in
the report or as an attached spreadsheet, with one list per distinct
problem.
We will provide when CT logs are updated.
6. Explanation about how and why the mistakes were made or bugs
introduced, and how they avoided detection until now.
a. There was no product team in 2012 when the Baseline Requirement
requiring the use of ISO country codes was passed. At the time, an
engineer checked the ISO codes, and "AN" was still in transitionary
state, while "XK" was included as a user-assigned value. It wasn't
clear to that engineer, at that time, that it wasn't officially
accepted by the ISO standards, and was allowed in error. We have
updated our list to exclude user codes.
b. The "AN" country code was a previously admissible country code
by ISO standards. It was removed transitionally on 2011/12/15, which
meant it could be used for 5 years while the new codes were adopted.
However, it wasn't removed from our database as an allowed value in
2016, due to the lack of a product group and oversight. Product
oversight has been established. We have an amended process in place
to thoroughly review all ballot impact with subsequent baseline
requirement changes that will need to be reflected in software and
operational procedures.
0 new messages