GlobalSign Information for VU#971035

Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests


Not Affected

Vendor Statement

GlobalSign utilizes SCEP for certificate delivery to iOS devices. However we have mitigated the vulnerabilities outlined in 971035 by:

    1)implementing unique and strong one time PINs to authenticate certificate invitation
    2)Utilize unique 1-time SCEP URLs that optionally can be tied to Device ID
    3)only allow authorized Enteprise PKI local RAs to register end user identity information using client authentication to access the ePKI portal
    4)only issue identity information entered in the ePKI portal regardless of what is included in the CSR.

    Therefore, GlobalSign believes we are not affected by the vulnerabilities outlined in 971035.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References



    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.