1590810 - Sectigo: EV SSL Certificates with incorrect businessCategory

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Robin Alden]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36

Actual results:

We received a report as follows:

<<<
I am relying party who believes that there may have been a number of EV certs that have been improperly issued.
There has been a number of EV certs with businessCategory being "Non-Commercial Entity" despite not being intergovernmental organization as specified by 8.5.5. of the CA/Browser Forum EV Guidelines.
I have listed a few certificates below that I believe will illustrate the issue.
https://crt.sh/?q=c070ad3cd3e1ff181cb0f5db2cfade684a05bcebf0bd6331e0d2610457722490
https://crt.sh/?q=9ffe2026846df53ff6b6b3ead2c67484c317ef55f3d56cb9240481824d65a804
https://crt.sh/?q=d0647b741746664319cabb0191f7b816f503105f5328b5ad323355db22844371
https://crt.sh/?q=dfedde45c0d4527c4c17c278edef85d48c2c6155e0554ec77012f3362d7a511b
If this was improperly issued, please report the incident as described
here: https://wiki.mozilla.org/CA/Responding_To_An_Incident

The report was received at 5:18pm BST on 22-Oct-2019.

Our initial determination is that the report is correct regarding these 4 certificates and we will work with the subscribers to revoke the certificates and issue replacements with correct subject details.

We will examine our body of previous issuance to determine whether there are other examples of the same mistake being made.
We believe that changes that we made to our 2nd approval validation step as a result of the response to Bug 1575022 will have already prevented this error from occurring in certificates issued recently. We will verify whether that is the case.

We will post a fuller incident response in this bug.

Comment 1

[Robin Alden]

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

At 5:18pm BST Oct 22, 2019 we received a report to our problem reporting email address as follows

There has been a number of EV certs with businessCategory being "Non-Commercial Entity" despite not being intergovernmental organization as specified by 8.5.5. of the CA/Browser Forum EV Guidelines.
I have listed a few certificates below that I believe will illustrate the issue.
https://crt.sh/?q=c070ad3cd3e1ff181cb0f5db2cfade684a05bcebf0bd6331e0d2610457722490
https://crt.sh/?q=9ffe2026846df53ff6b6b3ead2c67484c317ef55f3d56cb9240481824d65a804
https://crt.sh/?q=d0647b741746664319cabb0191f7b816f503105f5328b5ad323355db22844371
https://crt.sh/?q=dfedde45c0d4527c4c17c278edef85d48c2c6155e0554ec77012f3362d7a511b
If this was improperly issued, please report the incident as described
here: https://wiki.mozilla.org/CA/Responding_To_An_Incident

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

time	event
17:18 Oct 22	We recieved the original report
Oct 22	We verified the report was accurate.
Oct 22	We verified that this problem was not still occurring.
Oct 23	We advised the subscribers that their certificates were affected and should be replaced as they would be revoked.
16:53 Oct 23	We provided a preliminary response to the entity who filed the Certificate Problem Report.
17:10 Oct 23	We opened this bug.
Oct 23	An examination and reverification of the body of issued EV certificates with businessCategory "Non-Commercial Entity" was commenced.
Nov 01	We posted this report.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We have stopped issuing certificates with this problem.

Although changes made to our 2nd approval validation step as a result of the response to Bug 1575022 had prevented this error from occurring in recently validated subjects, we had to put additional measures in place to ensure that no new certificates were issued with this problem as a result of the activity of EV Enterprise RAs.
The additional threat around the EV Enterprise RAs is that section 14.2.2 (paraphrasing) permits further EV certificates to be issued for the enterprise without the subject validation being repeated every time (limited by the 'Age of Validated Data' stipulations of 11.14.3) and without 2nd approval. The risk was that a previously mis-validated subject could have led to the issuance of a further certificate including the mis-validated subject even after we were aware of the issue and had reinforced our subject validation and 2nd approval processes.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

The problem here is that some EV certificate subjects incorrectly show a subject:businessCategory of 'Non-Commercial Entity'.
4 certificates were included in the problem report.
Of those 4, the earliest was issued on Feb 19, 2019, and the latest on Apr 4, 2019.

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?id=1236367534
https://crt.sh/?id=1350019367
https://crt.sh/?id=1276339178
https://crt.sh/?id=1217769398

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

a) Some of our validation staff had a mistaken understanding of the nature of the 'Non-Commercial entity' as per section 8.5.5 of the EV Guidelines.

b) Our 2nd approval validators were not as effective as they should have been prior to the corrective steps discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=1575022#c1

c) Self audit had not seen an example of the mistake. Non-commercial Entities are in the small minority in our body of issued EV certifcates, even including those mistakenly identified as such.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

a) For our staff having a mistaken understanding of the concept of Non-Commercial entities, the solution is training. Our training program had evidently not concentrated on this important area sufficiently.
We have revised the training material to expand upon the nature of Non-Commercial entities (as per EVGL 8.5.5) and to specifically call out the differences and the risk of confusion between Non-Commercial in the EVGL sense and Non-Profit or Charity.
We have undertaken remedial training on this issue with all of our validation staff.

b) We significantly reorganized our 2nd approval (aka “Final Cross-Correlation and Due Diligence”) teams as described in https://bugzilla.mozilla.org/show_bug.cgi?id=1575022#c1

c) We have under review whether and how to include additional non-randomly selected samples into our regular self audit process. We can include examples to provide greater scrutiny over issues, such as this, where subject validation mistakes have been made.
This is not really part of the EVGL-mandated self-audit, but points to the advantages of further and continuous self-audit and will probably run alongside the EVGL-mandated self audit.

d) We note that the EVGLs call out that "The CA/Browser Forum may publish a listing of Applicants who qualify as an International Organization for EV eligibility" and we like the idea. We will start to build a list of the Non-Commercial entities that we have encountered and will publish it as a starting point. I do not yet have a target publication date.

e) Our examination and reverification of the body of issued EV certificates with businessCategory "Non-Commercial Entity" is almost complete and we expect to publish the list on Sunday November 3rd.

Comment 2

[Robin Alden]

Here is the list of 109 EV SSL certificates that were issued including in the subject:businessCategory being "Non-Commercial Entity" despite not being intergovernmental organization as specified by 8.5.5. of the CA/Browser Forum EV Guidelines.

This same batch is also on the revocation checker, here.

Comment 3

[Robin Alden]

No further actions are currently pending in response to this bug.

We are still tracking an activity to publish a list of Non Commercial entities, but I do not yet have a target publication date and I would suggest it should not prevent this bug being closed.

Comment 4

[Wayne Thayer]

Robin: I think that a list of Non Commercial entities has merit, and I'd like to keep this bug open to track that idea. If Sectigo determines that it's not practical to publish such a list, please explain. If it's just a matter of time, please provide an estimate when available.

Comment 5

[Ryan Sleevi]

In Bug 1599484, Entrust has indicated an interest in publishing a list as well.

Comment 6

[Robin Alden]

We aim to have the list of Non Commercial Entities published by 9th February.
We did touch base with Entrust about the list before Christmas, but the task wasn't completed.
The result won't be a very big list, but it's worthwhile getting it out there.

Comment 7

[Ben Wilson]

Checking on status - let me know if there is anything I can help with.

Comment 8

[Robin Alden]

Here is Sectigo's list of Non Commercial Entities.

Sectigo Non Commercial Entity List

Comment 9

[Ben Wilson]

Closing this as it appears all questions have been answered.