Closed Bug 1512018 Opened 10 months ago Closed 4 months ago

Entrust: Certificate issued with '-' in ST field

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bruce.morton, Assigned: bruce.morton)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36

Steps to reproduce:

SSL certificates should be issued in accordance with BR 7.1.4.2.j which states "Optional attributes MUST NOT contain metadata such as ‘.’, ‘-‘, and ‘ ‘ (i.e. space) characters, and/or any other indication that the value is absent, incomplete, or not applicable."


Actual results:

On November 19, 2018 an SSL certificate was issued with '-' in the ST field of the subject DN.


Expected results:

The ST should not have been included in the subject DN.
Thanks for filing this report. Please see https://wiki.mozilla.org/CA/Responding_To_An_Incident for the set of expectations around such reports and how the CA responds.
Summary: Certificate issued with '-' in ST field → Entrust: Certificate issued with '-' in ST field
1.    How your CA first became aware of the problem

Entrust Datacard first became aware of a certificate where the ST field had a "-" character through the self-audit post issuance linting process.
 
2.    A timeline of the actions your CA took in response

November 19, 2018 – Certificate issued
November 20, 2018 - Miss-issuance detected
November 20, 2018 - Investigation started
November 20, 2018 - Process was changed
November 26, 2018 - Miss-issued certificate revoked

3.    Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem

No certificates were issued with this issue from notification of incident to the bug being fixed.

4.    A summary of the problematic certificates

Only one unexpired/unrevoked certificate was found with '-', ' ' or '.' in the L or ST fields of the subject. The certificate was issued on 19 November 2018.

5.    The complete certificate data for the problematic certificates

Here is the list of miss-issued certificates:
https://crt.sh/?id=958918578

6.    Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

In the retail certificate enrollment model, the address for OV validated certificates is populated from applicant entered information. The verification team must validate the Subject DN as a whole element, but is able to overwrite O, L and ST fields. In this case, due to oversight, the Verification team did not overwrite or remove '-' in the ST field.

7.    List of steps your CA is taking to resolve the situation

An immediate alert was provided to the Verification team to ensure the L and ST fields are reviewed for only punctuation characters. We are less concerned if those fields are populated with alphanumeric characters as these will be verified as part of the address.

In addition to increased vigilance from the Verification team, Entrust Datacard plans to update the software application to block ST attributes that consist solely of metadata such as ‘.’, ‘-‘, and ‘(i.e. space) characters.'

Note, the revocation of the miss-issued certificate took about 6 days to complete, which is longer than the 5 day requirement. This delay was due to 1) the fact that the Subscriber had more than one certificate for the same domain names and was not using the miss-issued certificate and 2) the revocation process was not followed properly. The team has been re-advised of the process to mitigate the recurrence of a similar delay in the future.
(In reply to undefined from comment #2)
> November 19, 2018 – Certificate issued
> November 20, 2018 - Miss-issuance detected
> November 20, 2018 - Investigation started
> November 20, 2018 - Process was changed
> November 26, 2018 - Miss-issued certificate revoked

This does not meet the requirements of https://wiki.mozilla.org/CA/Responding_To_An_Incident
* "A timeline is a date-and-time-stamped sequence of all relevant events."

> 7.    List of steps your CA is taking to resolve the situation
>
> An immediate alert was provided to the Verification team to ensure the L and ST fields are reviewed for only punctuation characters. We are less concerned if those fields are populated with alphanumeric characters as these will be verified as part of the address.

This is not reassuring that the root cause has been identified and addressed. In particular, it suggests that Entrust's verification of the L and ST fields is not consistently followed. That an ST field was introduced with invalid data suggests that the ST field is not being reviewed adequately.

This is likely a result from the described design:
> The verification team must validate the Subject DN as a whole element, but is able to overwrite O, L and ST fields. 

Given that multiple CAs have seen this design result in misissuance, a more appropriate mitigation would appear to be to have the verification team directly enter the data that is verified, from the canonical source, rather than relying on applicant-provided data. Among the critical security benefit, this will also improve the consistency between certificates issued - for example, "Ltd." vs "Ltd" vs "Limited".


> Note, the revocation of the miss-issued certificate took about 6 days to complete, which is longer than the 5 day requirement. This delay was due to 1) the fact that the Subscriber had more than one certificate for the same domain names and was not using the miss-issued certificate and 2) the revocation process was not followed properly. The team has been re-advised of the process to mitigate the recurrence of a similar delay in the future.

Please file a separate incident report for this, as per https://wiki.mozilla.org/CA/Responding_To_An_Incident . It is a distinct failure for Entrust, and the root causes need to be examined. Retraining the team is unlikely to be a suitable mitigation.
Flags: needinfo?(bruce.morton)
Assignee: wthayer → bruce.morton
Whiteboard: [ca-compliance]
The following is an update to section 2 of the Incident Report.

2.    A timeline of the actions your CA took in response

(All times are UTC)
November 19, 2018 11:54 – Certificate issued
November 20, 2018 17:37- Miss-issuance detected
November 20, 2018 17:37 - Investigation started
November 21, 2018 17:19 - Verification team advised of the process issue
November 26, 2018 1:56 - Miss-issued certificate revoked
Flags: needinfo?(bruce.morton)
(In reply to Ryan Sleevi from comment #3)
> Please file a separate incident report for this, as per
> https://wiki.mozilla.org/CA/Responding_To_An_Incident . It is a distinct
> failure for Entrust, and the root causes need to be examined. Retraining the
> team is unlikely to be a suitable mitigation.

Did I miss this incident being filed? I can't seem to find it.

I also can't seem to find a timeline for remediation (from comment #2), nor any response to the root cause identification and remediation (per comment #3)
Flags: needinfo?(bruce.morton)

Bruce: Do you have an update?

Will follow up this week.

Flags: needinfo?(bruce.morton)

Note that pre-issuance linting could have prevented this and was identified as a remediation for bug #1448986, but as of this date it has not been implemented.

The late revocation incident has been filed, https://bugzilla.mozilla.org/show_bug.cgi?id=1520876.

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

The ‘.’, ‘-‘, and ‘ ‘ (i.e. space) characters issue has been addressed with blocking and with pre-issuance linting per a release on 14 May 2019.

It appears that remediation has been completed.

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.