- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
QuoVadis was notified by a security researcher by email to our firstname.lastname@example.org email address.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
8/19/2019 02:22 GMT QuoVadis received notification by email from security researcher
8/19/2019 12:00 GMT QuoVadis acknowledges receipt to security researcher
8/19/2019 12:30 GMT QuoVadis support researches case, contacts customer to commence revocation. Customer expresses concerns as several certificates are involved in high priority systems such as emergency/ambulance dispatch. A schedule is agreed to stagger revocations over the week.
8/20/2019 11:30 GMT QuoVadis support has ongoing communications with customer, confirming 7 of the 33 certificates revoked and replaced.
8/22/2019 12:30 GMT Confirming 26 of the 32 certificates revoked and replaced, adhering to the agreed schedule to date.
8/23/2019 17:00 GMT Confirmed all 32 certificates have been revoked.
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
QuoVadis made a search to ensure no other certificates were created with this issue in the EV serialNumber field, nor similar issues in the related EV businessCategory and jurisdictionCountryName fields.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
QuoVadis issued 32 certificates to a single customer with “N/A” in the EV serialNumber field. As the certificate holder is a Government Entity for which a registration number or date of creation is not available, the correct entry should have been a repetition of the content “Government Entity” which is also in the EV businessCategory field for the certificates.
The certificates were issued between 1/28/2019 and 6/11/2019.
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
The mistake was introduced by an RA employee, and not picked up in second authorisation as the reviewer mistakenly believed that the “Government Entity” content already in the EV businessCategory field fulfilled the EVG 9.2.5 requirement. As we use a fixed template (tied to the EVG re-use periods) to overwrite content submitted in CSRs, the error was repeated across multiple certificates.
In our certificate management system, the EV serialNumber field is free form due to the wide range of numbers, dates, and text that may be used to properly complete the field.
At this time, we do not believe that trapping for errors in that field such as “N/A” is effective given the range of possible options.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
This is the first time this form of EV error has been identified at QV. We have restated the related EV training for the limited number of administrators enabled to edit Organisation detail templates in our certificate management system. In addition, with access to the greater Validation and Standards resources of DigiCert, we have an ongoing program to improve our validation documentation and training.