GlobalSign Information for VU#971035
Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests
- Vendor Information Help Date Notified:
- Statement Date:
- Date Updated: 29 Mar 2013
GlobalSign www.globalsign.com utilizes SCEP for certificate delivery to iOS devices. However we have mitigated the vulnerabilities outlined in 971035 by:
1)implementing unique and strong one time PINs to authenticate certificate invitation
2)Utilize unique 1-time SCEP URLs that optionally can be tied to Device ID
3)only allow authorized Enteprise PKI local RAs to register end user identity information using client authentication to access the ePKI portal
4)only issue identity information entered in the ePKI portal regardless of what is included in the CSR.
Therefore, GlobalSign believes we are not affected by the vulnerabilities outlined in 971035.
We are not aware of further vendor information regarding this vulnerability.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.