- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We are aware the “DigiCert JOI issue” described in https://bugzilla.mozilla.org/show_bug.cgi?id=1576013.
Although we await the results of DigiCert’s own investigations into QuoVadis’ issuance using their tools, QuoVadis proactively commenced our own reviews specifically related to the EV jurisdictionStateOrProvinceName. We have identified 413 certificates in an initial batch.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
29 Aug QV becomes involved in DigiCert JOI effort
30 Aug QV begins preemptive investigation
3 Sept QV clean up of templates commences
7 Sept Batch 1 customers informed
12 Sept Batch 1 revocations
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
QuoVadis has clarified our validation procedures to rely upon only ISO 3166-2 and other Government provided references for subdivision entries.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
Certificates included abbreviations in the jurisdictionStateOrProvinceName. Although impacting a small subset of pre-approved templates in our certificate management system, some abbreviations were in place up to two years.
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
See attachment “EV JOI revocations batch 1". In addition to our own analysis, we now have received DigiCert’s scan of our issuance using their tools. We are sorting that into batches by issue type for review; as such additional certificates may be added to this disclosure at a later date. We are posting this interim report to demonstrate our positive steps towards remaining compliant. We’ll provide an update on or before 20 Sept.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Our standards for geographic names included “local usage” such as Zuerich for Zürich, St. Gallen for Sankt Gallen, etc. Due to the preference to use ISO 3166-2 “code elements” rather than full names in some countries for subdivisions, such as SG for St. Gallen, their use crept into a small subset of our pre-approved templates.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
In some cases, Government departments may use different geographic names than those on the official list of subdivisions for their country, particularly where administrative boundaries may have changed.
We have made a multiple reviewer manual review of jurisdictionStateOrProvinceName and StateOrProvinceName input used in our pre-approved templates using ISO 3166-2 and other Government official subdivision references making corrections and consistency improvements. These references will be used by our RAs creating new templates going forward. This is still a manual process; however QuoVadis operates primarily as an enterprise rather than retail issuer. QuoVadis will eventually integrate platforms and tools from DigiCert; we cannot provide dates at this time.