Closed Bug 1599561 Opened 5 years ago Closed 4 years ago

D-TRUST: EV certificates with incorrectly used businessCategory entry

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: enrico.entschew, Assigned: enrico.entschew)

Details

(Whiteboard: [ca-compliance] [ev-misissuance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
    2019-11-25, 18:08 UTC: A third party (digiCert) brought via email (Problem Reporting Mechanism) to our attention that D-TRUST issued EV certificates with an incorrectly used businessCategory entry.

  2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2019-11-25, 18:08 UTC: initial report
2019-11-26, 06:20 UTC: start investigating the error
2019-11-26, 09:30 UTC: suspension of user accounts with Subject Business Category field "Non-Commercial Entity"
2019-11-26, 13:00 UTC: 4 affected EV certificates of 3 organizations
2019-11-26, 15:00 UTC: start of customer communication process

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We suspended the user accounts with Subject Business Category field "Non-Commercial Entity" until further notice. We await the completion of further investigations before appropriate steps can be taken.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Problem: Incorrect value in Subject Business Category field
Number of affected certificates: 4
Issuing date of first certificate: 2018-03-01
Issuing date of last certificate: 2019-07-23

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?id=718780879
https://crt.sh/?id=346525550
https://crt.sh/?id=484028107
https://crt.sh/?id=1698563641

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

According to our knowledge, due to an error in one of the process documentation, the classification was incorrect and not recognized. We are still in the process of analyzing the causes.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

Until further notice no EV certificate with the Subject Business Category field "Non-Commercial Entity" can be issued. After a detailed in-depth analysis, appropriate steps are taken to prevent this error from occurring again. However, this analysis is not yet complete. We will work hard to solve the issue and to have a response to the community by EOD, November 28th.

Assignee: wthayer → enrico.entschew
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance]

This is an update:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

2019-11-25, 18:08 UTC: A third party (digiCert) brought via email (Problem Reporting Mechanism) to our attention that D-TRUST issued EV certificates with an incorrectly used businessCategory entry.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2019-11-25, 18:08 UTC: initial report
2019-11-26, 06:20 UTC: investigation of the error
2019-11-26, 09:30 UTC: suspension of user accounts with Subject Business Category field "Non-Commercial Entity"
2019-11-26, 13:00 UTC: result of investigation: 4 affected EV certificates of 3 organizations
2019-11-26, 15:00 UTC: initiation of customer communication process
2019-11-27, 10:00 UTC: completion analysis/ release of action plan
2019-11-27, 12:00 UTC: adaptation of the process documentation and initial training of the validation team
2019-11-27, 15:00 UTC: adaptation of attributes in customer profiles and release of suspended user accounts

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We suspended the user accounts with the Subject Business Category "Non-Commercial Entity" field until the cause of the error could be found and corrected. The customer profiles have been changed. As of 2019-11-27, 15:00 UTC, certificates can be obtained again via the customer profiles that were affected.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Problem: Incorrect value in Subject Business Category field
Number of affected certificates: 4
Issuing date of first certificate: 2018-03-01
Issuing date of last certificate: 2019-07-23

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?id=718780879
https://crt.sh/?id=346525550
https://crt.sh/?id=484028107
https://crt.sh/?id=1698563641

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Our internal validation guidelines include a quite detailed checklist for the validation of the business category entry. During the translation process of the requirements into German language there was a misunderstanding due to a shortened transfer of this particular requirement. The term “non-commercial” can be translated into German as “gemeinnützig” which is incorrect in this particular case. It means more likely “non-profit”.

This term „gemeinnützig“ was used in the validation checklist and according to the German legal conception the entities were classified as such by our validation team. This was the main reason why certificates with the entry “Non-Commercial Entity” in the Business Category were wrongly issued.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

The cause of this error has been fixed. No further incorrect certificates were issued. The affected certificates will be revoked on 2019-11-29, 10:00 UTC. Replacement certificates will be made available to the affected customers. In order to prevent the incorrect use of the entry "Non-Commercial Entity" in the Business Category in the future, the internal validation guidelines were revised and the validation team were trained. Effective immediately, the decision to use the entry “Non-Commercial Entity” in the Business Category field must be approved by management in addition to the validation specialists.

Next update by EOD, December 2nd.

Enrico: I notice you missed the Dec 2 update.

In terms of analyzing root causes, it's definitely one of the more interesting ones to see that the root cause was a localization issue. With respect to the broader analysis of the EV requirements, what steps have been taken to examine the internal validation guidelines for other translation issues? Especially for fields with more stringent requirements?

Overall, the steps of requiring Management-level overrides seem to mitigate this particular situation, by greatly restricting when these certificates can be issued.

Flags: needinfo?(enrico.entschew)

Ryan: We have revoked all affected certificates on 2019-11-29, 10:00 UTC.

Regarding your other comment:
We addressed the localization issue and reviewed our internal validation guidelines accordingly. No further inconsistencies were identified. However, a full revision of our internal validation guidelines is already planned in the next weeks and we will focus on localization in particular.

Flags: needinfo?(enrico.entschew)

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ev-misissuance]
You need to log in before you can comment on or make changes to this bug.