Closed Bug 1451228 Opened 2 years ago Closed 2 years ago

Asseco DS / Certum: EV certificate mis-issue

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wojciech.babicz, Assigned: arkadiusz.lawniczak)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 OPR/52.0.2871.40

Steps to reproduce:

EV guidelines states that the legally registered company name must be listed as the company name for the certificate. 

Certum CA mis-issued EV (extended validation) certificate for domain: zegarownia.pl 

"Green bar" of EV Certificate with word "ZEGAROWNIA" is not the legal company name, the cert was mis-issued. Legal company name is: "57 Concepts Sp. z o.o. Sp.k."


Actual results:

information from EV certificate: 

CN = zegarownia.pl
OU = 57 Concepts Sp. z o.o. Sp.k.
O = ZEGAROWNIA
C = PL

"O" is wrong !



Expected results:

How they do extended validation, when it is wrong validated ...
This appears to be referencing https://crt.sh/?id=250931400

Arkadiusz: please review this certificate and either provide confirmation explaining how it was properly issued, or file an incident report if it was misissued.
Assignee: wthayer → arkadiusz.lawniczak
Flags: needinfo?(arkadiusz.lawniczak)
Whiteboard: [ca-compliance]
Group: crypto-core-security
This raises questions - will Certum issue a certificate with any string I ask them, like Chase Bank?
I am writing on behalf of Arkadiusz Ławniczak and Asseco/Certum.

Thank you for pointing that out.

I would like to ensure that Certum follows the "Guidelines for the Issuance and Management of Extended Validation Certificates" document and performs strict validation of all data in certification requests.

In given certificate all data from subject were properly verified. We verified that the name "Zegarownia" is a trademark given by Polish Patent Office to the company "57 Concepts Sp. z o.o. Sp.k." (this patent expires on January 26, 2021). We also confirmed the applicant identity and his right to submit the certification request for given domain and organization.

Unfortunately, it was isolated incident when we placed trademark in Organization Name field and legal company name in Organizational Unit Name field. Therefore, we revoked this certificate on April 10, 2018.

Additionally, I would like to highlight that subcriber has been informed that the certificate was misissued.

If additional data is needed, please let me know.
Wojciech: thank you for the information. Please provide a full incident report as described here: https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report I am especially interested to know if you have looked for any more certificates issued with this problem, and what you are doing to prevent it from happening again.
Flags: needinfo?(wtrapczynski)
Two EV certificates mis-issuance incident report.
1.	CERTUM received notification bug number 1451228  directly from bugzilla-daemon@mozilla.org Wednesday, April 4, 2018 7:58. 
2.	April 6  we started investigation what caused the problem. Our employee who was on duty has communicated with bugzilla-daemon@mozilla.org (what it was a bit unfortunate) directly to inform about receiving the Bugzilla bug.
2.1 April 10 the certificate 919DCADE40713F715E560005E868BAB18142DD97 was revoked.
3.	Although the all of data from certificate were properly verified there it turned out that there was an human error when correcting manually the certification request. Incorrect entering the OU content to the o field. As you may know many user make mistake submitting CSR. Especially for EV SSL certificate. So that we often need to correct them. Of course the subscriber has been informed that the certificate was misused. At the same day the new certificate was issued (https://crt.sh/?id=393673006). Please note that in this certificate which is not EV SSL the organizationName is also ZEGAROWNIA. But this time we believe  this is DBA/Trademark which is allowed by CA-Browser-Forum-BR (of course only when properly validated). The subscriber provided to us appropriate documentation from Polish Patent Office.
4.	We has not stopped issuing EV SSL certificates but we are committed to more urgent verification of such certificates requiring manual handling 
5.	We checked 1355 EV SSL certificates issued between 11.04.2016 – 11.04.2018 (excluding reissued certificates – then any change in certificate is forbidden) and found another one certificate with an incomplete name of its owner in organizationName, which may be found at: https://crt.sh/?id=36541467. 
In this case the name entered into the organizationName was: Garden Flora whereas the correct company name is Garden Flora (P.W. Jakub Chwieduk).
6.	Both certificates have been revoked:
•	919DCADE40713F715E560005E868BAB18142DD97 Revoked 2018-04-10  08:58:23 UTC (https://crt.sh/?id=250931400)  
•	022099F0DD4F0B16917884F49A61F6F9927EEE95 Revoked 2018-05-08  09:46:49 UTC (https://crt.sh/?id=36541467) 
7.	These two cases of mis-issued certificates have proved to be separated issues. Both have been caused by human error.
Flags: needinfo?(arkadiusz.lawniczak)
Arkadiusz: thank you for the incident report and for examining other EV certificates for problems. You state that you are "committed to more urgent verification of such certificates requiring manual handling". Please describe what steps have been, or will be taken to prevent these issues from happening again in the future.
Flags: needinfo?(arkadiusz.lawniczak)
Vetting procedures have been reviewed and our validation team have been re-trained in the field of CA/Browser Forum requirements 
for SSL and EV SSL certificates.
Flags: needinfo?(arkadiusz.lawniczak)
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Flags: needinfo?(wtrapczynski)
Summary: Certum: EV certificate mis-issue → Asseco DS / Certum: EV certificate mis-issue
You need to log in before you can comment on or make changes to this bug.