Closed Bug 1266230 Opened 9 years ago Closed 9 years ago

VR Ident EV certificate with multiple issues

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kurt, Assigned: sdavidson)

References

Details

(Whiteboard: BR Compliance)

This EV certificate has various issues: https://crt.sh/?id=16930771&opt=x509lint The subject is missing at least: - a businessCategory - the jurisdictionCountryName - the serialNumber The validity period is also slightly longer than the 27 months allowed by the EV requirements.
Blocks: BR-Compliance
Stephen, Please work with QuoVadis' VR IDENT subCA to fix their EV SSL certificate issuance to be in line with the EV guidelines, and update this bug with status on getting this resolved. Also please look into why these problems weren't noticed by the auditor.
Assignee: kwilson → sdavidson
Acknowledged. We will have certificate revoked, and revert with more information.
Confirming that the certificate has been revoked. Will revert with details steps taken to prevent a recurrence.
Apologies for the delay in responding. The issue in question was intended to be an OV SSL, but due to an RA administrative error was issued using an EV policy. In previous practice, EV policies were manually enabled for specific RA administrators at the time of EV issuance. During such a period, the assigned administrator chose the incorrect policy. The certificate was never installed on a webserver; as it was issued using an EV policy it was automatically logged in CT. During the investigation, the CA halted EV issuance while additional RA technical controls were implemented to prevent an OV request being delivered using an EV policy. Further control enhancements in the certificate administration tool will be implemented in the coming weeks. The CA has informed its external auditor regarding the certificate, as well as changes to the RA process and certificate administration tool.
Stephen, Thank you for sharing the results of your investigation. > Further control enhancements in the certificate > administration tool will be implemented in the coming weeks. What further control enhancements do you expect to be implemented? What potential problems will those solve? Were any other EV certs issued that should have been OV certs?
Stephen, any update on this?
Whiteboard: BR Compliance
What further control enhancements do you expect to be implemented? What potential problems will those solve? > Previously RAs manually processed certificate requests. The updated certificate administration tool includes template filters and workflows such that, among other things, only complete EV requests can be sent for signing using an EV policy. The certificate administration tool is intended to enforce aspects of the BR and EV Guidelines. Were any other EV certs issued that should have been OV certs? > No.
(In reply to Stephen Davidson from comment #7) > What further control enhancements do you expect to be implemented? What > potential problems will those solve? > > Previously RAs manually processed certificate requests. The updated certificate administration tool includes template filters and workflows such that, among other things, only complete EV requests can be sent for signing using an EV policy. The certificate administration tool is intended to enforce aspects of the BR and EV Guidelines. > > Were any other EV certs issued that should have been OV certs? > > No. Thanks. Looks like this bug has been resolved.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.