1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, via a discussion in mozilla.dev.security.policy, or via a Bugzilla bug), and the time and date.
On Tuesday August 20th 2019 03:47 BST, GlobalSign was notified by a third party through the report abuse email address that two certificates were discovered which contained invalid State information, either in the stateOrProvinceName field or in the jurisdictionStateOrProvinceName field.
The two certificates in question were:
Additional reporting came in from the mdsp list  on August 22 that indicated censys reported 130 GlobalSign certificates with abbreviated state in the jurisdictionStateOrProvinceName field. We looked at this also and found that most of those were test certificates issued from a private root for testing purposes and posted to Google Test Tube log and then subsequently included in the report. All publicly trusted SSL certificates from this report  are included in this incident report.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
GlobalSign started and concluded the investigation of these 2 certificates within 24 hours, at 16:51 BST. Within this timeframe GlobalSign reached out to the Certificate owners that these certificates needed to be replaced and revoked. The certificates were revoked on 2019-08-23 12:59:04 UTC.
Following this report, GlobalSign conducted additional internal reviews for this problem. We searched for or invalid values for US states in values in the stateOrProvinceName field, or for invalid values (including abbreviations) in the jurisdictionStateOrProvinceName fields. We reviewed all certificates, that had a notAfter date of 21st of August or later that weren't revoked for other unrelated reasons. All of the misissued certificates were revoked on the 28th of August at the latest. See attachment for detailed dates.
In total, we found 31 unique certificates with invalid values in the stateOrProvinceName or jurisdictionStateOrProvinceName fields. The oldest certificate was issued in October of 2016, the most recent one in July 2019.
- Whether your CA has stopped, or has not yet stopped, issuing TLS/SSL certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
Yes, we have stopped issuing certificates with this problem. We added warning indicators for our validation staff so that when either of these fields contain invalid values for the US they will be highlighted. We have also added email alerts to the Validation managers when a certificate request contains an invalid value so they can also be aware and double-check these requests.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
Number of SSL certs affected: 31
First one issued: October 2016
Most recent one issued: July 2019
Detailed dates and certificate contents are in the attached.
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
We've included the details for the 31 certificates in the attached.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
This was a breakdown in our manual vetting process for Organizational details. The unexpected values were not spotted or not properly corrected during the validation process, nor were any of these certificates selected as part of our monthly random audit sample set. GlobalSign was aware of the "Some-State" issue, but since we were not affected by this particular issue we didn't pursue looking beyond the "some-state" value.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
We have updated our Validation system to flag stateOrProvinceName that are not valid full or abbreviated statues, and to flag jurisdictionStateOrProvinceName values that are not full and accurate State names. We also email validation managers of received requests with these issues for secondary notifications.
We have launched an additional awareness campaign to our validation specialists, which will be followed up by targeted training and testing. Increased audits will be performed on the validation specialists associated with these misissued certificates.
This additional awareness and training isn't limited to US State values only as there are many manually verified values in OV and EV certificates. The awareness and importance of 100% accuracy is being re-trained into the entire global validation team.
We've increased the exposure of the MSDP list topics to our Validation Agents and their management and these topics will be discussed in monthly meetings to be sure the issues spotted are disseminated to a larger group which will help educate the whole team on industry issues.
We are examining other possibilities such as an automated address validation solution.