This mis-issuance incident was reported by Mr. Rob Stradling via an e-mail =
sent to GDCA=E2=80=99s Problem Reporting Mechanism (email@example.com=
..cn). Mr. Rob Stradling also filed a report at June 7, 2018 18:07 (UTC+8) v=
ia Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=3D1467414).
1.How your CA first became aware of the problem (e.g. via a problem report =
submitted to your Problem Reporting Mechanism, via a discussion in mozilla.=
dev.security.policy, or via a Bugzilla bug), and the date.
We became aware of the problem via an e-mail sent to GDCA=E2=80=99s Problem=
Reporting Mechanism (firstname.lastname@example.org) by Mr. Rob Stradling, the=
e-mail was sent at June 7, 2018 18:10 (UTC+8). Mr. Rob Stradling also file=
d a report at June 7, 2018 18:07 (UTC+8) via Bugzilla (https://bugzilla.moz=
2.A timeline of the actions your CA took in response.
A.June 7, 2018 18:10 (UTC+8)- Mr. Rob Stradling sent the e-mail to webtru=
B.June 7, 2018 18:40 (UTC+8) =E2=80=93 GDCA became aware of the reported =
C.June 7, 2018 18:58 (UTC+8) =E2=80=93 GDCA suspended the issuance of the=
GDCA DV SSL certificates;
D.June 7, 2018 19:10 (UTC+8) =E2=80=93 GDCA replied Mr. Rob Stradling=E2=
=80=99s e-mail, indicated that we were looking into the issue; =20
E.June 7, 2018 20:30 (UTC+8) =E2=80=93 GDCA confirmed the mis-issuance of=
the reported certificates;
F.June 7, 2018 21:00 (UTC+8) =E2=80=93 GDCA revoked the 4 mis-issued cert=
G.June 7, 2018 21:27 (UTC+8) =E2=80=93 GDCA notified the subscribers that=
the mis-issued certificates were revoked;
H.June 8, 2018 09:30 (UTC+8) =E2=80=93 GDCA identified the reason of the =
I.June 8, 2018 11:43 (UTC+8) =E2=80=93 GDCA found three additional DV SSL=
certificates that were mis-issued through scanning all the SSL certificate=
s issued by the GDCA TrustAUTH R5 ROOT and its Subordinate CAs;
J.June 8, 2018 12:04 (UTC+8) =E2=80=93 GDCA revoked the additional three =
mis-issued certificates, notified the subscribers through the e-mail addres=
ses of the domain owners. =20
3.Confirmation that your CA has stopped issuing TLS/SSL certificates with t=
GDCA suspended the issuance of DV SSL certificates as of June 7, 2018 18:=
4.A summary of the problematic certificates. For each problem: number of ce=
rts, and the date the first and last certs with that problem were issued.
A total of 7 certificates were mis-issued and for the same reason, these =
certificates were issued between December 06, 2017 and June 05, 2018.=20
5.The complete certificate data for the problematic certificates. The recom=
mended way to provide this is to ensure each certificate is logged to CT an=
d then list the fingerprints or crt.sh IDs, either in the report or as an a=
ttached spreadsheet, with one list per distinct problem.
Certificate 1: https://crt.sh/?id=3D496289019
Certificate 2: https://crt.sh/?id=3D506519022
Certificate 3: https://crt.sh/?id=3D506945512
Certificate 4: https://crt.sh/?id=3D506962000
Certificate 5: https://bug1467414.bmoattachments.org/attachment.cgi?id=3D=
Certificate 6: https://bug1467414.bmoattachments.org/attachment.cgi?id=3D=
Certificate 7: https://bug1467414.bmoattachments.org/attachment.cgi?id=3D=
6.Explanation about how and why the mistakes were made or bugs introduced, =
and how they avoided detection until now.
After conducting an investigation, we found that a bug was introduced dur=
ing an upgrade in our certificate issuance system which was misconfigured l=
ater, causing the failure of detection on the minimum RSA key size. =20
7.List of steps your CA is taking to resolve the situation and ensure such =
issuance will not be repeated in the future, accompanied with a timeline of=
when your CA expects to accomplish these things.
A.Suspended the issuance of DV SSL certificates;
B.Scanned all the SSL certificates issued by the GDCA TrustAUTH R5 ROOT a=
nd its Subordinate CAs to find out if other certificates with small RSA key=
s were mis-issued;
C.We are currently fixing the bug in the issuance system and working to h=
ave it correctly configured by June 10, 2018;
D.We are adding a function in the key parts of the issuance system to reg=
ularly detect the minimum RSA key size, and such function is expected to be=
enabled by June 20, 2018.=20
We wish to thank Mr. Rob Stradling for bringing this problem to our attenti=
Your comments and suggestions will be much appreciated.