Closed Bug 1465600 Opened 2 years ago Closed Last year

DigiCert: Invalid Country Code Issuance


(NSS :: CA Certificate Compliance, task)

Not set


(Not tracked)



(Reporter: brenda.bernal, Assigned: brenda.bernal)


(Whiteboard: [ca-compliance])

1.	How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in, a Bugzilla bug, or internal self-audit), and the time and date.

The Product team discovered on 2018-05-17 that we had certificates in our system that were issued from two incorrect Country codes, AN and XK, as they were addressing a revalidation question.

2.	A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
	2018/05/17  7:30 AM MT - Certificates were discovered via internal forum discussion
	2018/05/17 4:16 PM MT - Certificates were confirmed by Engineering Manager with AN and XK country codes
	2018/5/18 5:01 PM MT - 'AN' ISO country code removed from CA
	2018/05/25 1:09 PM MT -'XK' ISO country code removed from CA

3.	Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We have stopped issuing certificates using these country codes at the CA level through code changes as indicated in 2) above.

4.	A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. 
7 certs associated with AN country code and 10 certs associated with XK country code
"XK" country code first issued was 2016/12/06 AND last issued was 2018/5/15
"AN" country code first issued was 2015/08/25 AND last issued was 2018/3/13

List of "AN" certs:
List of "XK" certs:

5.	The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

We will provide when CT logs are updated.

6.	Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

a.	There was no product team in 2012 when the Baseline Requirement requiring the use of ISO country codes was passed. At the time, an engineer checked the ISO codes, and "AN" was still in transitionary state, while "XK" was included as a user-assigned value. It wasn't clear to that engineer, at that time, that it wasn't officially accepted by the ISO standards, and was allowed in error.  We have updated our list to exclude user codes.

b.	The "AN" country code was a previously admissible country code by ISO standards. It was removed transitionally on 2011/12/15, which meant it could be used for 5 years while the new codes were adopted. However, it wasn't removed from our database as an allowed value in 2016, due to the lack of a product group and oversight. Product oversight has been established.  We have an amended process in place to thoroughly review all ballot impact with subsequent baseline requirement changes that will need to be reflected in software and operational procedures.
Brenda: thank you for the incident report. Will you please also post it to the forum for visibility?
Assignee: wthayer → brenda.bernal
Whiteboard: [ca-compliance]
Summary: Invalid Country Code Issuance → [DigiCert] Invalid Country Code Issuance
Hello,  The incident was posted to the mdsp forum on 6/1/2018 by Wayne.  The CT logs were updated (refer to the links in section 4. above).  Is there anything else we need to move the bug to Resolved/Fixed status?
Brenda: is DigiCert planning to replace & revoke these certificates, or to allow them to naturally expire? If the latter, when does the last valid certificate  in this cohort expire?
Hi Wayne, the plan is to revoke these certs.
(In reply to Brenda Bernal from comment #4)
> Hi Wayne, the plan is to revoke these certs.

Great. Please add a comment when revocations have been completed.
Hi Wayne - All the certs have been revoked. Please let me know if there's anything else to close out this bug.
Confirmed that all of these certificates have been revoked.
Closed: Last year
Resolution: --- → FIXED
Summary: [DigiCert] Invalid Country Code Issuance → DigiCert: Invalid Country Code Issuance
You need to log in before you can comment on or make changes to this bug.