Hi Ryan: As noted before, I responded to the problem report within an hour of receiving it. There was a mixup across internal email systems, and neither I nor others copied on the email caught it. As noted before, the original certificate reported by Cynthia Revstrom led to a greater investigation described below.
How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We received a problem report from Clint Wilson at DigiCert who had received an email from Cynthia Revstrom regarding a certificate issued to the National Library of Scotland with possible incorrect use of “Non-Commercial Entity” in businessCategory field.
A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
14 Oct 2019 20:30 GMT Received problem report from Clint Wilson at DigiCert. Ideally problem reports should be directed to firstname.lastname@example.org.
15 Oct 2019 21:30 GMT Following investigation, instructions given to replace and revoke certificate. Response was sent to Cynthia Revstrom (discovered to have not been delivered following the opening of this bug).
16 Oct 2019 Additional investigation identifies more certificates at National Library of Scotland; instructions given to replace and revoke.
18 Oct 2019 Research started into larger issue with EV clients miscategorized as “Non-Commercial Entity.”
20 Oct 2019 14:30 GMT additional problem report received from Cynthia Revstrom to email@example.com.
20 Oct 2019 15:06 GMT Response sent by QuoVadis (discovered to have not been delivered following the opening of this bug). I have reached out to Cynthia Revstrom to apologise.
21 Oct 2019 12:53 GMT Initial certificate for National Library of Scotland confirmed revoked.
21 Oct 2019 23:30 GMT Following investigation, an additional 66 certificates were identified for revocation, customers contacted starting morning of 22 Oct 2019. The investigation continues.
22 Oct 2019 all 20 certificates at National Library for National Library of Scotland confirmed revoked.
Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
QuoVadis has reviewed all clients with the “Non-Commercial Entity” for EV businessCategory. We stopped issuing certificates resulting from the miscategorisation on 18 Oct 2019.
A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
There were 20 problem certificates issued to the National Library of Scotland certificates. The first was issued on 18 Feb 2018 and the last on 11 Jan 2019.
The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
The attached batch 1 includes the initial certificate reported by Cynthia Revstrom and others at the same customer. In our batch revalidation of clients tagged as “Non-Commercial Entity” we have identified another 66 certificates, attached as batch 2. This includes the certificates identified by Cynthia Revstrom in her problem report of 20 Oct 2019. The investigation continues.
Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
RAs believed that “Non-Commercial Entity” applied to charities and other non-commercial entities. This was not the specification laid out in QuoVadis training manuals.
We notice that this same “Non-Commercial Entity” miscategorisation is widespread amongst EV issuing CAs internationally.
List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
As part of the integration of QuoVadis into DigiCert, the QuoVadis compliance team now reports to DigiCert. In addition, an additional experienced internal auditor has been hired by DigiCert whose role includes the 3% review of QuoVadis TLS issuance.
Previously TLS validation was performed by separate national subsidiaries of QuoVadis for their respective client bases. Since the acquisition by DigiCert, QuoVadis validation has been centralized into one team with a group leader, and reports into the larger DigiCert validation group. Three highly experienced validation staff from DigiCert have been seconded to the group.
Short term, updated training has been provided to QuoVadis RAs relating to EV JOI and businessCategory fields.
Longer term, QuoVadis TLS issuance will move to DigiCert’s platforms, benefiting from DigiCert’s significant investment in automation and validation tools. A roadmap will be provided at a later date.