[cabfpub] Public disclosure of 68 GlobalSign SSL certificates issued without EKU or KU

Peter Bowen pzb at amzn.com
Sat Oct 8 21:36:11 UTC 2016 

> On Sep 20, 2016, at 1:48 PM, Doug Beattie <doug.beattie at globalsign.com> wrote:
> 
>  
> 
> Following a recent code update to our GlobalSign Certificate Centre (GCC) platform, we have discovered a bug which manifests itself when orders are re-issued with modified domains within the Subject Alternative Name field of the certificate.  When users added or removed SANs in their OV or EV certificate between 29 August and 19 September the resulting certificates did not contain the Key Usage (KU) or Extended Key Usage (EKU) extensions.  KU is optional according to the BRs, but EKU is mandatory.  All certificates contained Basic Constraints.
> 
> The issue was identified on Friday and the system patched Friday night.  Customers in the western region were notified Friday afternoon and those in APAC and Japan on Monday and Tuesday (Monday was a holiday in Japan).  The support team was in contact with impacted customers Monday and Tuesday to follow up and recommend they reissue the certificate and revoke the one containing the issue.  Those that could not be contacted had their certificates revoked by the GlobalSIgn vetting team.
> 
> Currently, all but 1 certificate has been revoked.  The one remaining will be revoked with the next 24 hours and belongs to a high profile site in Japan who, due to the timing of the issue, needs another day.
> 
> We have verified that in total 68 certificates were affected.  4 of these are EV and 64 OV.   The risk to the community and to our other customers is therefore low as we have existing relationships with all customers and have vetted them to a higher level of confidence to issue the original certificate in the first place, although obviously the inconvenience on both sides is not welcome.
> 
> We’re putting new systems in place to parse issued certificates for compliance with the BRs which will catch any future certificate content issues more quickly.
> 

This is probably a really dumb question, but if these did not contain either the Key Usage or Extended Key Usage extension, it is in scope for the BRs?  I’ve suggested we clarify this, but there has never been consensus on doing so.


> For more information and the list of certificates, see the Mozilla bug filed earlier today: https://bugzilla.mozilla.org/show_bug.cgi?id=1304089
> 
> Regards,
> 
> Doug
> 
>  
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list