Consorci AOC: Misissued certificates: commonName:organizationIdentifier attribute inclusion not conforming CABForum guidelines 1.6.9
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: fferre, Assigned: fferre)
Details
(Whiteboard: [ca-compliance] [ev-misissuance])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Steps to reproduce:
Issue SSL certificates with commonName:organizationIdentifier attribute inclusion not conforming CABForum guidelines 1.6.9
Actual results:
19 certificates issued under the EV Guidelines, included in the validity period of version 1.6.9, incorrectly contained the subject:organizationIdentifier attribute.
Expected results:
Cabforum guidelines compliance
Assignee | ||
Comment 1•5 years ago
|
||
In the last internal audit of SSL certificates carried out quarterly by Consorci AOC, it was detected that 19 certificates issued under the EV Guidelines, included in the validity period of version 1.6.9, incorrectly contained the subject:organizationIdentifier attribute.
-
How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
Consorci AOC undertakes quarterly internal audits. This problem was identified with the audit report for the 2nd quarter of 2019, on 2019-10-09. -
A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
Consorci AOC has carried out several actions:
- 2019-10-11 - Identified the applicable versions of the EV Guidelines and the affected certificates.
- 2019-10-16 - Planified the revocation of affected certificates.
- 2019-10-23 - Publicly notified this issue to Bugzilla through this incident report.
-
Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
As of version 1.7.0 of the EV Guidelines it is mandatory to include the subject:organizationIdentifier attribute. Therefore the scope of this incidence has been very limited, only applicable between April 16, 2019 and June 20, 2019. -
A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
There are 19 certificates affected, issued between April 24, 2019 and June 18, 2019. -
The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
https://crt.sh/?id=1467176823
https://crt.sh/?id=1497323995
https://crt.sh/?id=1423735313
https://crt.sh/?id=1521224338
https://crt.sh/?id=1484812047
https://crt.sh/?id=1437343826
https://crt.sh/?id=1480946806
https://crt.sh/?id=1573687539
https://crt.sh/?id=1518128850
https://crt.sh/?id=1505385009
https://crt.sh/?id=1517756451
https://crt.sh/?id=1544675291
https://crt.sh/?id=1544676229
https://crt.sh/?id=1602634205
https://crt.sh/?id=1573601611
https://crt.sh/?id=1548804666
https://crt.sh/?id=1572985042
https://crt.sh/?id=1606320349
https://crt.sh/?id=1707882625 -
Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Versions prior to 1.6.9 of the EV Guidelines did not clarify whether it was possible to have the subject:organizationIdentifier attribute. Because of similarity with other profiles, all certificates issued during this period had this attribute. In the 2-month period in which version 1.6.9 came into force, 19 certificates with the attribute were issued. It should be noted that in the later version, version 1.7.0, the attribute subject:organizationIdentifier is mandatory.
The detection was made during the internal audit of SSL certificates corresponding to the 2nd quarter of 2019.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
It should be noted that the Consorci AOC will cease issuing new SSL certificates by the end of 2019. This fact was communicated to Mozilla in the past.
With this in mind, the revocation of the 19 affected certificates will be carried out gradually, with the renewal of all affected certificates planned to be completed by mid-November.
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
The 19 affected certificates have been revoked.
Thank you,
Comment 3•5 years ago
|
||
It appears that all questions have been answered and remediation is complete.
Updated•2 years ago
|
Updated•2 years ago
|
Updated•7 months ago
|
Description
•