Open Bug 1576283 Opened 2 months ago Updated 6 days ago

QuoVadis: N/A in EV serialNumber field

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: s.davidson, Assigned: s.davidson)

Details

(Whiteboard: [ca-compliance])

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

QuoVadis was notified by a security researcher by email to our compliance@quovadisglobal.com email address.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

8/19/2019 02:22 GMT QuoVadis received notification by email from security researcher
8/19/2019 12:00 GMT QuoVadis acknowledges receipt to security researcher
8/19/2019 12:30 GMT QuoVadis support researches case, contacts customer to commence revocation. Customer expresses concerns as several certificates are involved in high priority systems such as emergency/ambulance dispatch. A schedule is agreed to stagger revocations over the week.
8/20/2019 11:30 GMT QuoVadis support has ongoing communications with customer, confirming 7 of the 33 certificates revoked and replaced.
8/22/2019 12:30 GMT Confirming 26 of the 32 certificates revoked and replaced, adhering to the agreed schedule to date.
8/23/2019 17:00 GMT Confirmed all 32 certificates have been revoked.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

QuoVadis made a search to ensure no other certificates were created with this issue in the EV serialNumber field, nor similar issues in the related EV businessCategory and jurisdictionCountryName fields.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

QuoVadis issued 32 certificates to a single customer with “N/A” in the EV serialNumber field. As the certificate holder is a Government Entity for which a registration number or date of creation is not available, the correct entry should have been a repetition of the content “Government Entity” which is also in the EV businessCategory field for the certificates.

The certificates were issued between 1/28/2019 and 6/11/2019.

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?q=004b880db2de91d014ec1a4fa811902855f92ef0bb431efe4fd79b5e1ae90ea5
https://crt.sh/?q=06c6a322936845323c20735e9d1bce633a01bd30a07673141c755e7f9d6457f1
https://crt.sh/?q=0c0bc4fed6186889764ea245e8ef0571b9b9ff47d2d389620d8496b135f99ef8
https://crt.sh/?q=13e81d1c63a1d812624b9aa7822123e17202c0b8bfb94d084ffbfbc41f322528
https://crt.sh/?q=21242e318265f2e31765b7000d38ba59aa7efa242149609bf173e757f537689e
https://crt.sh/?q=2fb4b31cf012fd1dc9108180afa7cfb4e5e699db399054ec4b4b2eaefbe83388
https://crt.sh/?q=3da3652f2d6617ed09672ba79287355ab271b7dea81d901922aca39eacd83d24
https://crt.sh/?q=3f3803b0dcf46dca250df9715e21153ebf37f0adc64a4493f1f42c72a09808dc
https://crt.sh/?q=3f3a951c6bca4a0a57d7729e627a10f95f53ba3ed3b2a58fa368b06c5b9ba67a
https://crt.sh/?q=4448fc2e67d4aa842eda3f79951a8073c792d8e6f742a1ae187bc14ecd8f6ed0
https://crt.sh/?q=4fb4c1a9abbcc6525c6ef2680024817ebff0e26501bb92a89c93d7db1d1b1dee
https://crt.sh/?q=55f1478f93c91901e5f412b661ad408a1f038800b41f21525d6e07757f1e027b
https://crt.sh/?q=5b5d6e38ca117ca747e1bcb920f344855884aaf6a587520fa236e0acb129bfa6
https://crt.sh/?q=685b6f5638b6047f12fc60b8da74b58bfeb9d7085de787985d334e4d591896e7
https://crt.sh/?q=6c94d88e47476e336d2d83fdb26f83d23c7cb05c24bad46dcbb59178c058ae54
https://crt.sh/?q=6d0788fee8a59576370451d8e4420102e6ca7ab5309f956c081051988889013d
https://crt.sh/?q=7909a597430fc11ac9b0cea515384b4c4e27f31d83c67dffd755579ee21f451b
https://crt.sh/?q=845e50a4e591c61ddb544b7016d6e67d2044ec3f90773b05be00a65cb3099b25
https://crt.sh/?q=879045ba8507cbab44fdb22dd2c736cad370b752f9c94910146c4b868083d11e
https://crt.sh/?q=8d2f2df85bc992e7eeca428dd165b4aff27fb3ec23d70b98de25e552211732ba
https://crt.sh/?q=9706534626e9d8ef681e54ff77d58626a924e46652863178f9b37775d3ebab51
https://crt.sh/?q=9a4b88477f2de2f65e4377475b7d4f48ad5d32f24b47a7e8567e0b28598353f6
https://crt.sh/?q=a772ed5be5e6b06d8d6d4bdad506cacee3f25d74594e0c981e6a643c037ca991
https://crt.sh/?q=b6ec799eeb6eba33c9c969193c93813643ede38f93cc1c2f4a05a356d736221b
https://crt.sh/?q=b71458665fae4af9aa785525a2992817210a32ac6eaa2083f9eaa5602cbc8c2b
https://crt.sh/?q=c07b35fae1901cc70468554554a02327ced0d2dc10a58e9f2cde1860d2df5e6b
https://crt.sh/?q=c4777c18431dbd3d99eccbe3754d5b68483141781118841baf49c4cd26486943
https://crt.sh/?q=c85bffb638eb0437884a4b2c9d742272ce94f3d5a53a60d81b2c08688b999a34
https://crt.sh/?q=da49d67b531facecd3b05ea95a9e0d1f8631a2fa6b6a065c0cfe57414f1713ca
https://crt.sh/?q=e2d53ee21a39a3289b6a8f5898687e6c7045feac5a9adcf53db0151d7a8ba40d
https://crt.sh/?q=e48ffb5a6a1a4ffe41d25c2f3e5c0557c10f6088d48edda9e52d253938262312
https://crt.sh/?q=f039c6f9df61c4affa8ff1dac6d23e1f95fbcd6533f226289fdf771603cb0a8d

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The mistake was introduced by an RA employee, and not picked up in second authorisation as the reviewer mistakenly believed that the “Government Entity” content already in the EV businessCategory field fulfilled the EVG 9.2.5 requirement. As we use a fixed template (tied to the EVG re-use periods) to overwrite content submitted in CSRs, the error was repeated across multiple certificates.

In our certificate management system, the EV serialNumber field is free form due to the wide range of numbers, dates, and text that may be used to properly complete the field.

At this time, we do not believe that trapping for errors in that field such as “N/A” is effective given the range of possible options.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

This is the first time this form of EV error has been identified at QV. We have restated the related EV training for the limited number of administrators enabled to edit Organisation detail templates in our certificate management system. In addition, with access to the greater Validation and Standards resources of DigiCert, we have an ongoing program to improve our validation documentation and training.

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee: wthayer → s.davidson
Type: defect → task
Whiteboard: [ca-compliance]

Hi Wayne, is there anything else required or can this be closed?
Many thanks, Stephen

Stephen: similar to bug #1581234 and the recent spate of "some state" bugs, I'd like to know if any consideration has been given to technical controls that would eliminate this class of errors (across all subject fields), or at least provide more assurance than "more training"?

Flags: needinfo?(s.davidson)

Hi Wayne: We have implemented picklists and rules in other subject fields, but had been hesitant to narrow options in this field given the wide range of formats/text that may need to appear in the serialNumber. I had not viewed this as high risk given this single occurrence of the issue, however we will now move ahead to implement similar filters here as we have used in the OU field to prevent a variety of null entries.

Flags: needinfo?(s.davidson)
You need to log in before you can comment on or make changes to this bug.