1397958 - DigiCert / Terena: Metadata in OU fields

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Kathleen Wilson]

This bug has been separated out from Bug #1389172 to request an incident report specific to this subCA.

Terena
  a) Metadata in OU fields
    - See Bug #1389172: Comment 0
    - Remediation
      - None performed; no root cause analysis performed

For the problem listed above, please provide an incident report as described here:

https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report

Comment 1

[Jeremy Rowley]

TERENA is actually a DigiCert sub CA, meaning the root cause and remediation is identical to DigiCert's own OU issue.

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, via a discussion in mozilla.dev.security.policy, or via a Bugzilla bug), and the date.
- The issue was posted to the Mozilla dev list on Aug 9, 2017. 

2. A timeline of the actions your CA took in response.
- We  investigated to see what was going on that same day, responding to Jonathan. Because this is not a SubCA, we were able to post initial findings to that mailing list. We determined this was not a direct violation of the BRs as it states "All other subject attributes MUST contain information that has been verified by the CA". OU is not an "other subject attribute" and is defined in the section immediately prior to this. As such, we have not revoked these certificates.

3. Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem.
- Confirmed. DigiCert has patched its systems to detect whether the OU field has metadata and prevents issuance if non-validated information is present. Although I don't think this is actually a violation per the above explanation, we do see value in preventing meta-data from all subject fields, not just other subject fields. 

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
- Unknown. Customers can enter data they want in the OU Field. These are screened for addresses and names. We continuously patch our systems as new forms of metadata are found.

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
This is the list of all TERENA certs with metadata in the OU:
32142920
20475084
11984821
23387766
40944750
50979270
66713765
73234645
99764268
134328239

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
- OU is traditionally just a dumping ground for non-validated information. Although the BRs adopted the requirement that no other field should contain meta-data, the requirement does not squarely apply to the OU field under the language (as it's not an "Other Subject" field.  However, rather than fight over nuances with respect to the OU, DigiCert patched the issue and put safeguards in place to prevent re-occurrence.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
- We add new metadata to a blacklist as it is discovered.  We are also moving to a platform where all OU information is verified prior to issuance.

Comment 2

[Jeremy Rowley]

Here's the timeline:

1. Aug 9, 2017 - Report was made to the mailing list
2. Aug 9, 2017 - DigiCert responded to mailing list and began investigation
3. Aug 10, 2017 - DigiCert decided this is not a violation as posted on the mailing list:

Section 7.1.4.2.2(J) : 
"All other optional attributes, when present within the subject field, MUST 
contain information that has been verified by the CA. Optional attributes 
MUST NOT contain metadata such as ‘.’, ‘‐‘, and ‘ ‘ 
(i.e.        space) characters, and/or any other indication that the value is 
absent, incomplete, or not applicable."  Because OU is not "all other optional attributes", j doesn't apply. 

However, DigiCert decided that preventing metadata in the OU field was a good thing to do so committed to preventing it going forward.

4. Aug 10, 2017 - OU metadata was added to a blacklist on the CA side that prevented issuance 
5. ETA beginning of Nov, 2017 - DigiCert will validate all OU information prior to inclusion. This will eliminate all future OU metadata that is not currently blacklisted.