Izenpe posted the following response to the bug [1]: My apologies for the delayed follow up response. First we must say that we don't see any benefit for the community of publishing the name and version of our PKI software, regardless of security issues. As previously stated, we have two filters for each SSL certificate issuance. The "pre" one is integrated into the PKI software and it's obviously developed by the PKI manufacturer. The "post" one are really the three filters used in crt.sh, that is cablint, x509lint and zlint. Therefore we have different manufacturers for both filters. The previous one is supposed to review the TBS with the same conditions as the post one. In case of this misissued certificate it was immediately detected by the post filters. After contacting the manufacturer we knew that the hotfix was available since last November. In this case we’ve already installed the hotfix in the development environment, and it’ll be in the production environment before next March 3rd. Meanwhile we’re reviewing manually with dual control all requests we receive. We have defined some improvement actions, which could help other CAs to detect and fix these issues:
1. Apply cablint, x509lint and zlint also in the development environment, as the post-issuance filter 2. Request our manufacturer to categorize all patches and hotfixes they develop. At least there must be two categories: high if it applies to security issues or RFC/CABForum misissuances, and the rest. In case of patches classified as high, they must contact us immediately. We’re going to update our policy to require to put those patches in production in 15 days as a maximum. We’ll also suggest our manufacturer to communicate it also to all their customers. All these actions will be applied in February. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1528290#c2 On Mon, Feb 18, 2019 at 4:58 PM Ryan Sleevi via dev-security-policy < [email protected]> wrote: > On Mon, Feb 18, 2019 at 2:49 PM Jakob Bohm via dev-security-policy < > [email protected]> wrote: > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
