- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
QuoVadis had issued a number of Qualified Web Authentication Certificates (QWAC) with the EV OID that contained Organisationidentifier fields. Since QWAC are only issued to legal persons and not natural persons we referenced ETSI EN 319 412-3, which requires Organisation Identifier in addition to ETSI EN 319 412-4. We ceased this practice when the CA/Browser Forum began discussing this matter in the leadup to CABF Ballot SC17, enabling new compliant certificate profile templates in our certificate management system. However, we did not entirely remove the prior templates as we believed Ballot SC17 would shortly re-enable use of the field. The passage of Ballot SC17 took longer than anticipated.
In the intervening period, four certificates for three clients were manually issued by a QuoVadis admin/RA based upon the previous certificate profile. The certificates were identified during audit procedures.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
Certificates identified in audit Verbally on 6/6/2019, in writing 6/24/2019
Clients contacted 6/7/2019
1st certificate revoked 6/7/2019
2nd certificate revoked 6/18/2019 (was replaced in use prior to that date)
The client using the 3rd & 4th certificates experienced difficulties replacing the certificate which delayed revocation. Sudden revocation of the certificates would have created significant business damage to the client. It was eventually determined that an important relying party (a regulatory entity) had pinned the original certificates.
3rd & 4th certificates revoked 7/2/2019
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
The original policy settings were restored in production following the effective date of Ballot SC17 on June 21 2019. QuoVadis will enable the additional cabfOrganizationIdentifier field described in Ballot SC17 before January 31 2020.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
See 4 above.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
See 1 above. The certificates were identified in audit procedures.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
A change to the certificate management system is being worked on (with a target implementation of July 31) to enforce additional review of changes to certificate profile templates, and their proper cascading effect through other child certificate profile templates.