• Arbitrations
• a20140624.2

• Case Number: a20140624.2
• Status: closed
• Claimant: Felix D
• Respondent: CAcert

• initial Case Manager: EvaStöwe

• Case Manager: PietStarreveld

• Arbitrator: EvaStöwe

• Date of arbitration start: 2016-06-21
• Date of ruling: 2016-06-21
• Case closed: 2016-06-21
• Complaint: Request for analyzing and revoking wrong issued certificates with wildcards.
• Relief:
  1. check how many certificates have been issued with such malformed names
  2. affected members should be informed
  3. these malformed certificates should be revoked.

Before: Arbitrator EvaStöwe (A), Respondent: CAcert (R), Claimant: Felix D (C), Case: a20140624.2

History Log

• 2014-06-24 (issue.c.o): case [s20140624.193 ]
• 2014-07-06 (iCM): added to wiki, request for CM / A
• 2014-07-06 (iCM): notification about case send to C
• 2014-07-26 (iCM): repeats request for CM / A

• 2016-04-21 (CM): pick up case and select EvaStöwe as A

• 2016-04-21 (A): init mailing (C)
• 2016-06-21 (A): ruling send to (C)
• 2016-06-21 (CM): close case

Private Part

• Link to Arbitration case a20140624.2 (Private Part), Access for (CM) + (A) only

EOT Private Part

original Dispute

• Software is fixing a bug that enabled users to issue wrong certificates.
  (1212)
  
  These certificates contain a "*" other than as a leading "*." (e.g.
  *.*.domainname.com or *sub.domainname.com) (bug 1212)
  or SQL Wildcard-characters (%, _) in their CommonName or
  SubjectAlternativeName.
  
  My request is, that arbitration and software should check how many
  certificates have been issued with such malformed names.
  In a second step the affected members should be informed and these
  malformed certificates should be revoked.
  
  Software should provide the needed SQL statements.

Discovery

• General:

  • The dispute was filed based on bug1212

  • When the case was picked up nearly 2 years after the dispute was filed that bug remains to be open.
  • During the time where arbitration has waited to pick up this case, nearly all certificates who were active at the time when the dispute was filed, have expired on their own. (They expire after 2 years).
  • There is no indication that the bug would be fixed, soon.
• About revoking the certificates:
  • Until the bug is not fixed, it does not make sense to revoke certificates as this would have to be repeated every day again, if the issue would be accepted to be an issue that requires revocation.
  • This would not be sensible
  • Especially as first sql-queries would have to be developed, tested, reviewed and executed.
  • The time for this should be used for the bug itself at least for the time being.
• Request to request how many certificates were issued like described in the bug
  • As such certificates may be continued to be issued, it does not make sense to request this, same argument as above.
  • But even more: There is no need to know this. (Even as this number would be provided by the execution of such a query)
  • This request is clearly rejected.
• About the general request to revoce such certificates
  • The bug only mentions a "SHOULD" requirements for clients to not accept certificates with more than one wildcard.
  • By this according certificats are likely to be useless
  • It is unlikely that users are trying to issue them
  • However there is no indication so far that such certificates are invalid and forbidden to be issued
  • Because of this there is no reason to revoke according certificates, if users decided that they want to have them.

When the bug is fixed, anybody who sees a further need for revocation could request this again, so that the last point could be evaluated further, if necessary. But fur the time being a revocation would not solve anything so it should not be done.

However software team is encouraged to inform users about according issues when they create according certificates via the system.

Ruling

1. As the bug is not fixed even about two years after filing the dispute it does not make sense to revoke certificates at the time being. No certificates should be revoked because of this bug until it is fixed.
2. The request to look up the number of affected certificates is rejected.
3. As neither the bug nor the dispute provide an indication that certificates with more than one wildcards may not be issued even as they SHOULD not be accepted by clients, no affected certificates should be revoked based on the bug even after the bug is fixed.
4. However, the last point was not evaluated deeply in this case. After the bug is fixed, another dispute for revocation of according certificates may be failed, if and only if proof is provided that such certificates are not allowed to be issued.
5. As no certificates will be removed, there is no need to inform those members specifically. Even as all members are encouraged to inform other members about possible issues regarding certificates.

Eva Stöwe 2016-06-21

Execution

• 2016-06-21 (A): ruling

Similiar Cases

to be done

• CategoryArbitration

• CategoryArbCaseSystemTasks

• CategoryArbCaseOthers