Closed Bug 1576283 Opened 2 years ago Closed 2 years ago

QuoVadis: N/A in EV serialNumber field


(NSS :: CA Certificate Compliance, task)

Not set


(Not tracked)



(Reporter: stephen.davidson, Assigned: stephen.davidson)


(Whiteboard: [ca-compliance])

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in, a Bugzilla bug, or internal self-audit), and the time and date.

QuoVadis was notified by a security researcher by email to our email address.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

8/19/2019 02:22 GMT QuoVadis received notification by email from security researcher
8/19/2019 12:00 GMT QuoVadis acknowledges receipt to security researcher
8/19/2019 12:30 GMT QuoVadis support researches case, contacts customer to commence revocation. Customer expresses concerns as several certificates are involved in high priority systems such as emergency/ambulance dispatch. A schedule is agreed to stagger revocations over the week.
8/20/2019 11:30 GMT QuoVadis support has ongoing communications with customer, confirming 7 of the 33 certificates revoked and replaced.
8/22/2019 12:30 GMT Confirming 26 of the 32 certificates revoked and replaced, adhering to the agreed schedule to date.
8/23/2019 17:00 GMT Confirmed all 32 certificates have been revoked.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

QuoVadis made a search to ensure no other certificates were created with this issue in the EV serialNumber field, nor similar issues in the related EV businessCategory and jurisdictionCountryName fields.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

QuoVadis issued 32 certificates to a single customer with “N/A” in the EV serialNumber field. As the certificate holder is a Government Entity for which a registration number or date of creation is not available, the correct entry should have been a repetition of the content “Government Entity” which is also in the EV businessCategory field for the certificates.

The certificates were issued between 1/28/2019 and 6/11/2019.

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The mistake was introduced by an RA employee, and not picked up in second authorisation as the reviewer mistakenly believed that the “Government Entity” content already in the EV businessCategory field fulfilled the EVG 9.2.5 requirement. As we use a fixed template (tied to the EVG re-use periods) to overwrite content submitted in CSRs, the error was repeated across multiple certificates.

In our certificate management system, the EV serialNumber field is free form due to the wide range of numbers, dates, and text that may be used to properly complete the field.

At this time, we do not believe that trapping for errors in that field such as “N/A” is effective given the range of possible options.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

This is the first time this form of EV error has been identified at QV. We have restated the related EV training for the limited number of administrators enabled to edit Organisation detail templates in our certificate management system. In addition, with access to the greater Validation and Standards resources of DigiCert, we have an ongoing program to improve our validation documentation and training.

Ever confirmed: true
Assignee: wthayer → s.davidson
Type: defect → task
Whiteboard: [ca-compliance]

Hi Wayne, is there anything else required or can this be closed?
Many thanks, Stephen

Stephen: similar to bug #1581234 and the recent spate of "some state" bugs, I'd like to know if any consideration has been given to technical controls that would eliminate this class of errors (across all subject fields), or at least provide more assurance than "more training"?

Flags: needinfo?(s.davidson)

Hi Wayne: We have implemented picklists and rules in other subject fields, but had been hesitant to narrow options in this field given the wide range of formats/text that may need to appear in the serialNumber. I had not viewed this as high risk given this single occurrence of the issue, however we will now move ahead to implement similar filters here as we have used in the OU field to prevent a variety of null entries.

Flags: needinfo?(s.davidson)

Hi Wayne: This implementation will proceed when another large project is completed on our certificate management system. We estimate being able to return to this within 30 days. In the meantime, we have conferred with DigiCert to make sure our approach is consistent with theirs. We will update the bug when more information is available on delivery date.

Can you explain what that other large project is?

This helps provide transparency about what the priorities are and helps build confidence in QuoVadis' management's prioritization.

Flags: needinfo?(s.davidson)

Hi Ryan: The other project implements improvements to our automated email control verification for non-TLS certificates, in part drawing upon our experience with BR automated domain validation.

Flags: needinfo?(s.davidson)

Hi Ryan: The email control verification upgrades are nearing completion, so we anticipate being able to provide an implementation date for this "N/A" bug, among other improvements, by next week.

Due to seasonal code freeze, this will be implemented alongside other improvements to our certificate management system by mid January. It will include filters for the following possible entries in the EV serialNumber field.

None Given
Not Applicable
Whiteboard: [ca-compliance] → [ca-compliance] - Next Update - 15-January 2020

This was introduced into our production systems on 13 Jan 2020.
We request that this bug be closed.

It appears that all questions have been answered and remediation is complete.

Closed: 2 years ago
Resolution: --- → FIXED
Whiteboard: [ca-compliance] - Next Update - 15-January 2020 → [ca-compliance]
You need to log in before you can comment on or make changes to this bug.