[cabfpub] Incident report: Internal names in certs expiring after 1st November 2015

Rob Stradling rob.stradling at comodo.com
Mon Nov 9 20:47:31 UTC 2015

On 09/11/15 15:52, Gervase Markham wrote:
> On 09/11/15 09:12, Rob Stradling wrote:
>> We widened our investigation to look for certificates with notBefore >=
>> 2nd November 2014
> 2015?

You're the third person to ask me this question today!  :-)

I really, really did mean 2014.

Our initial investigation (on 5th Nov 2015) looked at all the certs we 
could find (issued by any publicly trusted CA and seemingly useable for 
TLS server authentication) with notBefore >= 2nd Nov 2015 and notAfter 
 >= 2nd Nov 2015.  We only found the 8 non-compliant certs that were 
issued by our CA system during those few days.  Having determined what 
went wrong at our side, we also looked at the certs we'd issued on 30th 
and 31st Oct 2015.

Then, our widened investigation looked at all the certs we could find 
with notBefore >= 2nd Nov 2014 and notAfter >= 2nd Nov 2015.  The 
decision to go back only 1 year was pretty arbitrary.  We could've gone 
back further towards the original BRs' "Effective Date" (or to whichever 
date any of the browsers / audit regimes actually demanded compliance 
with the BRs), but 1 year seemed sufficient to get a good idea of how 
well the CA industry has been complying with the internal name/IP 
deprecation rule.  Plus, whilst folks can argue about the true effective 
date of the BRs, I'm sure everyone can agree that compliance with the 
BRs has been necessary for all CAs for at least the past year.

>> that chain to publicly trusted roots and include any
>> Internal Names or Reserved IP Addresses.  We found non-compliant
>> certificates issued by quite a number of other CAs, but I'll document
>> these in another post.

I'm still preparing this report on our widened investigation.

> Gerv

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list