Closed Bug 1473971 Opened 2 years ago Closed Last year

SwissSign: Domain validated certificate but with stateOrProvinceName

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: reinhard.dietrich, Assigned: reinhard.dietrich)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180516032328

Steps to reproduce:

We regularly check crt.sh if any issues are occurred.

Today we found out that we have issued Domain validated certificate but with stateOrProvinceName
e.g. see https://crt.sh/?id=558662469&opt=x509lint

Actually we found this issue by the following certificates:
7D1AFD41E18C2862853DD3F8DA5AC0BA0FA7E438
/CN=ctx.hospicegeneral.ch/OU=SSI/O=Hospice général, institution genevoise d'action sociale/L=Geneva/ST=Geneva/C=CH
79D20E25C9D33DD11AA4E342A8DA2E86FEA73AF5
/CN=tobin.hospicegeneral.ch/O=Hospice général, institution genevoise d'action sociale/L=Geneva/ST=Geneva/C=CH
131E9E7C02EB34C972C1336E6564745872CB1F94
/CN=ssmnet052.hospicegeneral.ch/O=Hospice général, institution genevoise d'action sociale/L=Geneva/ST=Geneva/C=CH
17B346F968ACF6DE165233B818264923A63C6CC9
/CN=ssmnet051.hospicegeneral.ch/O=Hospice général, institution genevoise d'action sociale/L=Geneva/ST=Geneva/C=CH
3833D0480C1C401367EFDC2FE35833203B0BD446
/CN=asacare.mobisana.ch/OU=IT/O=Schweizerische Mobiliar Holding AG/L=Bern/ST=Bern/C=CH
10678D55DD5A7947EFA790472E9DAB472052CB68
/CN=syncronisation.mobi.ch/OU=IT/O=Schweizerische Mobiliar Holding AG/L=Bern/ST=BE/C=CH
2F4457FC7B2D996610450C9D152FF462EE50E0C7
/CN=asacaredemo.mobisana.ch/OU=IT/O=Schweizerische Mobiliar Holding AG/L=Bern/ST=BE/C=CH

As soon we have done  the analysis we will provide the incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Assignee: wthayer → reinhard.dietrich
Summary: Domain validated certificate but with stateOrProvinceName → SwissSign: Domain validated certificate but with stateOrProvinceName
Whiteboard: [ca-compliance]
Topic 1
=======
How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

Answer to 1:
------------
As quality measurement, we regularly check crt.sh if any issues are occurred. 
Friday 6th July crt.sh shows that that we have issued domain validated certificate with stateOrProvinceName.
e.g. see https://crt.sh/?id=558662469&opt=x509lint

Topic 2
=======
A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

Answer to 2:
------------
2018-07-06 07:00 UTC:As described above, our regularly check with crt.sh show us this issue
2018-07-06 08:00 UTC: we stopped issuing this type of certificates
2018-07-06 10:00 UTC: we started informing the customers about the issue and asked for revocation of the affected certificates
2018-07-31 all affected certificates are revocked


Topic 3
=======
Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

Answer to 3:
------------
We have stopped issuing this type of certificates immediately after we got aware of this problem.


Topic 4
=======
A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Answer to 4:
------------
Number of certificates: 10
First issue date: 2018-05-28
Last issue date: 2018-07-03

Topic 5
=======
The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

Answer to 5
-----------
https://crt.sh/?id=491148012
https://crt.sh/?id=492641752
https://crt.sh/?id=505031773
https://crt.sh/?id=542378559
https://crt.sh/?id=555473832
https://crt.sh/?id=559716028
https://crt.sh/?id=558662469
https://crt.sh/?id=567986236
https://crt.sh/?id=569001134
https://crt.sh/?id=572877184



Topic 6
=======
Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Answer 6:
---------

In the process to include the DV OID, it was not checked, if there are any customer specific configurations, that are not in line with the requirements defined by the DV OID. 


Topic 7
=======

List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

Answer 7:
---------

In future configuration changes that affect all new issued certificates, we will do a dedicated check, if there are historical explained exceptions configured, that are not in line with the requirements.
As documented in bug 1443731, SwissSign is implementing pre-issuance linting, and I would expect that to catch this problem (ZLint does).
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.