SwissSign: Cert issued with a to long validity period

to whom it may concern

Last week we have reported a Bug on
gi?id=3D1443731 about a certificate we issued with a to long validity perio=

We are now asked to publish the same incident report also on this mozilla.d= forum:

Topic 1: How your CA first became aware of the problem (e.g. via a problem =
report submitted to your Problem Reporting Mechanism, a discussion in mozil=, a Bugzilla bug, or internal self-audit), and the ti=
me and date.

On the evening of 6th March 2018 our CABLint post-issue test system alerted=
 us to this problem.  We also received emails from an external source

Topic 2: A timeline of the actions your CA took in response. A timeline is =
a date-and-time-stamped sequence of all relevant events. This may include e=
vents before the incident was reported, such as when a particular requireme=
nt became applicable, or a document changed, or a bug was introduced, or an=
 audit was done.

2018-03-06 15:49 UTC The certificate was issued
2018-03-07 06:00 UTC We started an investigation
2018-03-07 07:00 UTC We contacted the customer in order to replace the cert=
ificate and revoke the mis-issued one
2018-03-07 12:36 UTC The certificate was revoked

Topic  3: Whether your CA has stopped, or has not yet stopped, issuing cert=
ificates with the problem. A statement that you have will be considered a p=
ledge to the community; a statement that you have not requires an explanati=

We identified the source of the problem as incorrect use of a rarely used r=
eissue option available only to SwissSign support employees.  We immediatel=
y prohibited any use of this functionality until the option is fixed (ETA 1=
7th March 2018).

Topic 4: A summary of the problematic certificates. For each problem: numbe=
r of certs, and the date the first and last certs with that problem were is=

Topic 5: The complete certificate data for the problematic certificates. Th=
e recommended way to provide this is to ensure each certificate is logged t=
o CT and then list the fingerprints or IDs, either in the report or =
as an attached spreadsheet, with one list per distinct problem.


Topic 6: Explanation about how and why the mistakes were made or bugs intro=
duced, and how they avoided detection until now.

The support option in question was not in scope during the initial work to =
implement ballot 193 - it was planned to be implemented by 17th March 2018.=
  During the interim period support staff were trained to use the functiona=
lity with caution and in accordance with the requirements.

Topic 7: List of steps your CA is taking to resolve the situation and ensur=
e such issuance will not be repeated in the future, accompanied with a time=
line of when your CA expects to accomplish these things.

Immediate action: We have prohibited any use of the problematic reissue fun=
ctionality until it is technically constrained to 825 days for SSL certific=
ates 7th March 2018: The fixes for the reissue functionality have been roll=
ed out to our test environment 17th March 2018: The fixes for the reissue f=
unctionality will be rolled out in production

3/12/2018 8:31:54 AM 1337 articles. 2 followers. Post Follow

0 Replies

Similar Articles

[PageSpeed] 19