Closed Bug 1465600 Opened 2 years ago Closed Last year

DigiCert: Invalid Country Code Issuance

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: brenda.bernal, Assigned: brenda.bernal)

Details

(Whiteboard: [ca-compliance])

1.	How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

The Product team discovered on 2018-05-17 that we had certificates in our system that were issued from two incorrect Country codes, AN and XK, as they were addressing a revalidation question.

2.	A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
 
	2018/05/17  7:30 AM MT - Certificates were discovered via internal forum discussion
	2018/05/17 4:16 PM MT - Certificates were confirmed by Engineering Manager with AN and XK country codes
	2018/5/18 5:01 PM MT - 'AN' ISO country code removed from CA
	2018/05/25 1:09 PM MT -'XK' ISO country code removed from CA

3.	Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We have stopped issuing certificates using these country codes at the CA level through code changes as indicated in 2) above.

4.	A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. 
7 certs associated with AN country code and 10 certs associated with XK country code
"XK" country code first issued was 2016/12/06 AND last issued was 2018/5/15
"AN" country code first issued was 2015/08/25 AND last issued was 2018/3/13

List of "AN" certs:
1.	https://crt.sh/?serial=0E600C2875AF1638B220651573EDBC6A
2.	https://crt.sh/?serial=0B477A3EFA5391CABE3A484169DBB4A4
3.	https://crt.sh/?serial=07E1B952ABE0DC9E49C37B14A9F5EB4B
4.	https://crt.sh/?serial=042F9D286E1685A5B05F704460FDAA6C
5.	https://crt.sh/?serial=02E6E8C35770C4B9678B0F46C42CCDBD
6.	https://crt.sh/?serial=0FBFCEE8EEAA3BF1524E582E2469223A
7.	https://crt.sh/?serial=0C6398536894FA1D60D21C3F29FA52FC
List of "XK" certs:
8.	https://crt.sh/?serial=0BF4E46DB5319680141C95856DFF74F3
9.	https://crt.sh/?serial=0E37277F162C8AF7B89BB8AAA5D2DFF2
10.	https://crt.sh/?serial=031CE682A74B7F6F9AF7ADB8C892958E
11.	https://crt.sh/?serial=029738AE39AD5634EBB1D62459BA0CC1
12.	https://crt.sh/?serial=0926F80208311C0C3325C968AC5E9AC7
13.	https://crt.sh/?serial=053D15234D3561F187AD7C9FA396C5A9
14.	https://crt.sh/?serial=02E70731A0EE6F02B93F8DAC5FFAFF40
15.	https://crt.sh/?serial=0DCFB72FAE045FE705E6BDF8F96AF988
16.	https://crt.sh/?serial=0288DE1C5D1B1AE979A11BCCA94E8AC6
17.	https://crt.sh/?serial=033CA1B6EB8F019763460F9330F3BACA

5.	The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

We will provide when CT logs are updated.

6.	Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

a.	There was no product team in 2012 when the Baseline Requirement requiring the use of ISO country codes was passed. At the time, an engineer checked the ISO codes, and "AN" was still in transitionary state, while "XK" was included as a user-assigned value. It wasn't clear to that engineer, at that time, that it wasn't officially accepted by the ISO standards, and was allowed in error.  We have updated our list to exclude user codes.

b.	The "AN" country code was a previously admissible country code by ISO standards. It was removed transitionally on 2011/12/15, which meant it could be used for 5 years while the new codes were adopted. However, it wasn't removed from our database as an allowed value in 2016, due to the lack of a product group and oversight. Product oversight has been established.  We have an amended process in place to thoroughly review all ballot impact with subsequent baseline requirement changes that will need to be reflected in software and operational procedures.
Brenda: thank you for the incident report. Will you please also post it to the mozilla.dev.security.policy forum for visibility?
Assignee: wthayer → brenda.bernal
Whiteboard: [ca-compliance]
Summary: Invalid Country Code Issuance → [DigiCert] Invalid Country Code Issuance
Hello,  The incident was posted to the mdsp forum on 6/1/2018 by Wayne.  The CT logs were updated (refer to the crt.sh links in section 4. above).  Is there anything else we need to move the bug to Resolved/Fixed status?
Brenda: is DigiCert planning to replace & revoke these certificates, or to allow them to naturally expire? If the latter, when does the last valid certificate  in this cohort expire?
Hi Wayne, the plan is to revoke these certs.
(In reply to Brenda Bernal from comment #4)
> Hi Wayne, the plan is to revoke these certs.

Great. Please add a comment when revocations have been completed.
Hi Wayne - All the certs have been revoked. Please let me know if there's anything else to close out this bug.
Confirmed that all of these certificates have been revoked.
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Summary: [DigiCert] Invalid Country Code Issuance → DigiCert: Invalid Country Code Issuance
You need to log in before you can comment on or make changes to this bug.