In the last internal audit of SSL certificates carried out quarterly by Consorci AOC, it was detected that 19 certificates issued under the EV Guidelines, included in the validity period of version 1.6.9, incorrectly contained the subject:organizationIdentifier attribute.
How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
Consorci AOC undertakes quarterly internal audits. This problem was identified with the audit report for the 2nd quarter of 2019, on 2019-10-09.
A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
Consorci AOC has carried out several actions:
- 2019-10-11 - Identified the applicable versions of the EV Guidelines and the affected certificates.
- 2019-10-16 - Planified the revocation of affected certificates.
- 2019-10-23 - Publicly notified this issue to Bugzilla through this incident report.
Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
As of version 1.7.0 of the EV Guidelines it is mandatory to include the subject:organizationIdentifier attribute. Therefore the scope of this incidence has been very limited, only applicable between April 16, 2019 and June 20, 2019.
A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
There are 19 certificates affected, issued between April 24, 2019 and June 18, 2019.
The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Versions prior to 1.6.9 of the EV Guidelines did not clarify whether it was possible to have the subject:organizationIdentifier attribute. Because of similarity with other profiles, all certificates issued during this period had this attribute. In the 2-month period in which version 1.6.9 came into force, 19 certificates with the attribute were issued. It should be noted that in the later version, version 1.7.0, the attribute subject:organizationIdentifier is mandatory.
The detection was made during the internal audit of SSL certificates corresponding to the 2nd quarter of 2019.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
It should be noted that the Consorci AOC will cease issuing new SSL certificates by the end of 2019. This fact was communicated to Mozilla in the past.
With this in mind, the revocation of the 19 affected certificates will be carried out gradually, with the renewal of all affected certificates planned to be completed by mid-November.