136
edits
Changes
Edits
This page lists alleged issues involving the CA Certinomis (also known as Docapost). It may be further updated by Mozilla as more information becomes available. Please do not edit this page yourself; if you have proposed changes, send them to the mozilla.dev.security.policy list or email Wayne. Information here is correct to the best of Mozilla's knowledge and belief.
Certinomis currently has a single root certificate in the Mozilla program The “[https://crt.sh/?caid=5676 Certinomis - Root CA]” was included in 2015 via [https://bugzilla.mozilla.org/show_bug.cgi?id=1169083 bug #1169083] with only the websites trust bit set. The root is not EV-capable.
=== B Lack of Responsiveness (2018 - Present) ===
In a 2017 misissuance bug, Cartinomis was [https://bugzilla.mozilla.org/show_bug.cgi?id=1390978#c19 called out for letting more than a month pass without providing a timeline for complying with the BRs].
In January 2018, Certinomis [https://bugzilla.mozilla.org/show_bug.cgi?id=1439126 failed to respond] to a [[CA/Communications#January_2018_CA_Communication|Mozilla CA Communication]]. Certinomis was also late in responding to the prior [[CA/Communications#November_2017_CA_Communication|November 2017 survey]] and had to be prompted, but no bug was filed. In both cases, the response stated that their representative was temporarily overloaded.
In November 2018, the primary representative of Certinomis in the Mozilla community and the CA/Browser Forum, Franck Leroy, left the company. Mozilla was informed of the change in representatives before it happened. The three representatives that have replaced Mr. Leroy have not previously been involved with the Mozilla program or the CAB Forum. Furthermore, the pattern of non-responsiveness continued under the new representatives: [https://bugzilla.mozilla.org/show_bug.cgi?id=1496088 bug #1496088] (comments 12-17) ; [https://bugzilla.mozilla.org/show_bug.cgi?id=1495524 bug #1495524] (comments 6 and 7) ; and [https://bugzilla.mozilla.org/show_bug.cgi?id=1503128 bug #1503128] (comments 2 and 7).
=== C Audit Issues (2015-2018) ===
There are gaps in Certinomis’ audit coverage dating back to at least 2016. The [https://bug937589.bmoattachments.org/attachment.cgi?id=8652034 2015 assessment report] is dated 28-April 2015, but the [https://bugzilla.mozilla.org/attachment.cgi?id=8784555 2016 assessment report] covers a period beginning on 13-May 2015 - a gap in audit coverage of 2 weeks. The 2016 report states that the next report is due before 13-May 2017. The [https://bugzilla.mozilla.org/attachment.cgi?id=8898169 2017 assessment report] states that is is valid from 24-July 2017, leaving a gap of almost 2 months of audit coverage.
The [https://bugzilla.mozilla.org/attachment.cgi?id=9027927 2018 assessment report] was due in October but not received until 23-November. There was originally a one week gap from the end of the previous audit to the beginning of the period covered by this latest report, but the auditor LSTI issued a new report that updated the start of the audit period. [https://groups.google.com/d/msg/mozilla.dev.security.policy/IjgFwzGI_H0/ptUw6kZhBQAJ Certinomis stated that LSTI was at fault for the late audit statements].
On 29-November, 2017, the CA indicated that these problems had all been corrected and resolved in their production system.
On 1-October, 2018, a precertificate with a SAN containing only “www” was [https://bugzilla.mozilla.org/show_bug.cgi?id=1495524 reported]. This bug is still open (as of 9-April 2019) pending remediation including pre-issuance linting.
On 29-October, 2018, two new precertificates containing email addresses in DNSName SANs were [https://bugzilla.mozilla.org/show_bug.cgi?id=1503128 reported]. This was blamed on human error. On 3-April, 2019, Certinomis reported in comment 13 of the bug that one of their remediation action items was completed, and in the process [https://bugzilla.mozilla.org/show_bug.cgi?id=1542328 disclosed two newly misissued certificates containing an invalid TLD in a SAN]. The subsequent [https://bugzilla.mozilla.org/show_bug.cgi?id=1542328#c0 incident report] disclosed three more misissued certificates and stated that the problem had been fixed. However, on the same day [https://bugzilla.mozilla.org/show_bug.cgi?id=1542793 another certificate was misissued, this one containing an empty SAN value].
Another similar set of misissued certificates was [https://bugzilla.mozilla.org/show_bug.cgi?id=1539531 reported] on 27-March, 2019. These 10 certificates contain spaces in SAN values.
==== 2 Subject Organization ====
On 30-January, 2019, it was reported that Certinomis [https://bugzilla.mozilla.org/show_bug.cgi?id=1524103 issued 4 certificates containing invalid State or Locality information]. On 1-February, 2019, another misissuance in which the [https://crt.sh/?id=405372511 StateorProvinceName field contains “Direction des systèmes d'informations”] was [https://bugzilla.mozilla.org/show_bug.cgi?id=1524103#c5 reported] and that certificate was issued after the incident report had been filed claiming that Certinomis had stopped issuing certificates containing these errors.
==== 3 Inadequate Controls on Production Testing ====
On 31-January, 2019, [https://bugzilla.mozilla.org/show_bug.cgi?id=1524448 bug #1524448 reported] that Certinomis had issued 4 certificates that asserted the CAB Forum DV policy OID but contained forbidden organization information in the Subject. The explanation in the [https://bugzilla.mozilla.org/show_bug.cgi?id=1524448#c3 incident report] is: “The guy in charge of testing the new CTlog function was not aware that test certificates shall be as true as real ones and he did not check the PKI configuration before issuing these certificates for testing the new function.”
[https://bugzilla.mozilla.org/show_bug.cgi?id=1524112 Bug #1524112] filed on 30-January, 2019, reported that in January Certinomis also issued two certificates containing “O=POUR TEST” in the Subject. The [https://bugzilla.mozilla.org/show_bug.cgi?id=1524112#c2 initial response from Certinomis] stated that this was “NOT A MISTAKE BUT A FEATURE” and went on to describe this as an acceptable method of testing.
A very similar problem had originally been [https://bugzilla.mozilla.org/show_bug.cgi?id=1496088 brought to Certinomis’ attention] back on 3-October, 2018. That problem had also been [https://bugzilla.mozilla.org/show_bug.cgi?id=1496088#c2 blamed on human error]. A total of 7 certificates were revoked in that incident, including one with a SAN of “www.pourtest.com”. On 31-November, 2018, Certinomis reported that they would complete a remediation action item by the end of the year, to “implement domain validation in this workflow”, referring to the process used to issue certificates for testing. As of 9-April we do not have confirmation that this functionality has been implemented, although it was [https://bugzilla.mozilla.org/show_bug.cgi?id=1496088#c18 reported] to be “running on pre-production platform” in February.
