Closed Bug 1546253 Opened 8 months ago Closed 4 months ago

GDCA: Authentication of Organization Identity Failure for an OV Certificate

Categories

(NSS :: CA Certificate Compliance, task)

3.3.4
task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: capoc, Assigned: capoc)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

On 19 April 2019, we identified this mis-issued certificate in our routine internal audit for Q1 2019.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

March 28, 2019, 14:12 (UTC+8) – This certificate was mis-issued;
April 19, 2019, 09:45 (UTC+8) – GDCA identified this mis-issued certificate;
April 19, 2019, 11:54 (UTC+8) – GDCA added three key words (“Test”, “测试”, and “Example”) to the Sensitive Data List of our CMS, certificates requests with such key words in the future will be redirected to our Compliance team for further verification;
April 19, 2019, 17:16 (UTC+8) – GDCA decided to revoke this certificate and started the certificate revocation procedures;
April 22, 2019, 15:27 (UTC+8) – GDCA revoked the affected certificate;
April 22, 2019, 18:23 (UTC+8) – GDCA notified our WebTrust auditor.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

GDCA stopped the issuance of certificates with similar problems immediately after we confirmed the mis-issuance.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

One SSL certificate was affected, and it was issued on 28 March 2019.

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

Please see: https://crt.sh/?id=1324226957.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The main reason for the mis-issuance is an error made by the operator. Due to this certificate was intended to be deployed on one of the test websites hosted by GDCA, the operator mistakenly added a “test” in the O field when input the certificate information, and the validation specialist neglected this error because this certificate was issued for GDCA’s own use.

Furthermore, our compliance team was not able to detect the risks of such practice in advance, and was not able to control the risk in a timely manner.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

At April 19, 2019, 11:54 (UTC+8), GDCA added three key words (“Test”, “测试”, and “Example”) to the Sensitive Data List of our CMS, certificates requests with such key words in the future will be redirected to our Compliance team for further verification.

On 22 April 2019, GDCA did a retraining to our validation and issuance team on the rules and standards in our certification practices to avoid similar mis-issuance in the future.

In addition, our internal audit team will continue to inspect similar issues as a priority in the future quarterly internal audit.

Your comments and suggestions will be much appreciated.

Thanks.

Xiu Lei
GDCA

Thank you for providing this incident report. It appears to contain all required information. I will leave this bug open for a while in case there are any questions about this report.

Assignee: wthayer → capoc
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

Correcting bug type to task.

Type: defect → task
Flags: needinfo?(wthayer)

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.