Closed Bug 1590723 Opened 6 months ago Closed 3 months ago

Consorci AOC : Misissued certificates: commonName:organizationIdentifier attribute inclusion not conforming CABForum guidelines 1.6.9

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: fferre, Assigned: fferre)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36

Steps to reproduce:

Issue SSL certificates with commonName:organizationIdentifier attribute inclusion not conforming CABForum guidelines 1.6.9

Actual results:

19 certificates issued under the EV Guidelines, included in the validity period of version 1.6.9, incorrectly contained the subject:organizationIdentifier attribute.

Expected results:

Cabforum guidelines compliance

In the last internal audit of SSL certificates carried out quarterly by Consorci AOC, it was detected that 19 certificates issued under the EV Guidelines, included in the validity period of version 1.6.9, incorrectly contained the subject:organizationIdentifier attribute.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
    Consorci AOC undertakes quarterly internal audits. This problem was identified with the audit report for the 2nd quarter of 2019, on 2019-10-09.

  2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
    Consorci AOC has carried out several actions:

  • 2019-10-11 - Identified the applicable versions of the EV Guidelines and the affected certificates.
  • 2019-10-16 - Planified the revocation of affected certificates.
  • 2019-10-23 - Publicly notified this issue to Bugzilla through this incident report.
  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
    As of version 1.7.0 of the EV Guidelines it is mandatory to include the subject:organizationIdentifier attribute. Therefore the scope of this incidence has been very limited, only applicable between April 16, 2019 and June 20, 2019.

  2. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
    There are 19 certificates affected, issued between April 24, 2019 and June 18, 2019.

  3. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
    https://crt.sh/?id=1467176823
    https://crt.sh/?id=1497323995
    https://crt.sh/?id=1423735313
    https://crt.sh/?id=1521224338
    https://crt.sh/?id=1484812047
    https://crt.sh/?id=1437343826
    https://crt.sh/?id=1480946806
    https://crt.sh/?id=1573687539
    https://crt.sh/?id=1518128850
    https://crt.sh/?id=1505385009
    https://crt.sh/?id=1517756451
    https://crt.sh/?id=1544675291
    https://crt.sh/?id=1544676229
    https://crt.sh/?id=1602634205
    https://crt.sh/?id=1573601611
    https://crt.sh/?id=1548804666
    https://crt.sh/?id=1572985042
    https://crt.sh/?id=1606320349
    https://crt.sh/?id=1707882625

  4. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Versions prior to 1.6.9 of the EV Guidelines did not clarify whether it was possible to have the subject:organizationIdentifier attribute. Because of similarity with other profiles, all certificates issued during this period had this attribute. In the 2-month period in which version 1.6.9 came into force, 19 certificates with the attribute were issued. It should be noted that in the later version, version 1.7.0, the attribute subject:organizationIdentifier is mandatory.
The detection was made during the internal audit of SSL certificates corresponding to the 2nd quarter of 2019.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

It should be noted that the Consorci AOC will cease issuing new SSL certificates by the end of 2019. This fact was communicated to Mozilla in the past.
With this in mind, the revocation of the 19 affected certificates will be carried out gradually, with the renewal of all affected certificates planned to be completed by mid-November.

Assignee: wthayer → fferre
Type: enhancement → task
Whiteboard: [ca-compliance]

The 19 affected certificates have been revoked.

Thank you,

It appears that all questions have been answered and remediation is complete.

Status: UNCONFIRMED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.