Closed Bug 1599775 Opened 5 years ago Closed 4 years ago

GlobalSign: Wrong business category (Non Commercial Entity when should have been Private Organization)

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: eva.vansteenberge, Assigned: eva.vansteenberge)

Details

(Whiteboard: [ca-compliance] [ev-misissuance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36

  1. How your CA first became aware of the problem

On Monday, November 25th 2019, GlobalSign was notified by a third party through the report abuse email address that three EV SSL certificates were discovered identified the organization named in the certificate as being a "Non-Commercial Entity".

  1. A timeline of the actions your CA took in response

25th of November, 6pm: notification came in via the report abuse email address.
26th of November, 9am: notification was forwarded to the compliance team.
26th of November, 9.30am: initial incident ticket was created internally, manual review of all certificates containing “Non-Commercial Entity” as business category started.
26th of November, 9.30am: additional monitoring checks set up to go to compliance team for all new requests containing “Non-Commercial Entity” as business category.
26th of November, 10.30am: manual review concluded. Of 65 certificates issued with “Non-Commercial Entity”, three are marked as non-compliant. Decision made to revoke these three certificates within five days as per the Baseline Requirements.

GlobalSign started and concluded the investigation within 24 hours. GlobalSign has already reached out to the Certificate owners. Because of a time difference, we reached out to our Japanese customers earlier today. We have communicated that these certificates need to be replaced as soon as possible because revocation needs to happen following the Baseline Requirements.

As of the moment of reporting, these certificates have not yet been replaced, and the offending certificates have not been revoked. The revocation will happen at the latest on the 30th of November.

  1. Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem

Confirmed – we have reviewed the EV profiles for all our customers containing “Non-Commercial Entity” – no profiles were affected. This issue is isolated to 3 customers in APAC and JP region who ordered individual certificates (no profile activated). Additional monitoring has been put in place to escalate requests with this value to Compliance for review prior to issuance. Additional training and testing to the vetting team will be rolled out by the 30th of November.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Number of certs: 3.

First issued: Jun 22 15:50:34 2018 GMT
Last issued:    Jul 22 05:36:07 2019 GMT

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?id=1764033989
https://crt.sh/?id=1547100624
https://crt.sh/?id=557628006

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

This was a breakdown in our manual vetting process for Organizational details. Our internal verification procedures do define the different business categories in accordance to the EV Guidelines. GlobalSign’s ordering process does not expose those definition to our customers when they order these certificates. This meant the customer wrongly selected “Non-Commercial Entity”, as they seem to be not-for-profit organizations. This was not corrected by the validation specialist performing the initial validation (who collects the initial information), nor by the second person who reviewed the work of the initial validation specialist.

This was not a system issue, but due to human error. GlobalSign has reviewed the supporting training materials, and recognizes that while the proper definition of “Non-Commercial Entity” is included in all the documentation, it could be more specifically highlighted that this category does not cover not-for-profit organizations, even though the value itself could be interpreted that way.

  1. List of steps your CA is taking to resolve the situation

Flagging “Non-Commercial Entity” as a category of high-risk requiring additional scrutiny.
Additional training and testing will be rolled out by the 30th of November 2019.
Further steps to be reviewed.

As an addition to "6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now."

We recognize that a related issue was reported before, but was missed in our additional internal reviews. We have added additional compliance people monitoring this, and have scheduled monthly reviews with these additional compliance people to see if any of GlobalSign's certificates or practices are impacted by similar issues. The first of these reviews is scheduled next week.

Just a short update:

  • the three certificates have been revoked today, the 29th of November 2019.
  • additional training and testing has been rolled out.
Assignee: wthayer → eva.vansteenberge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

I've seen a number of issues, from CAs, referring to this as a "misunderstanding" about the EV requirements, either individually by validation agents or by the CA as a whole. While this may be a true statement, I don't think it gets sufficiently into understanding the systemic root causes.

For example, what other misunderstandings about the EV guidelines may exist? What steps are being taken to re-evaluate the existing processes and procedures - for all requirements - to make sure there's a correct understanding, or to seek clarifications? What were the old internal documentation/requirements, how long had they been introduced, when/did they get periodically reviewed? What are the new training and testing requirements?

I don't think it's sufficient to just say "We misunderstood", but to try and understand how these misunderstandings happen, how they aren't detected, and looking for opportunities to improve this, both as an individual CA and as an industry, going forward.

Flags: needinfo?(eva.vansteenberge)
Type: defect → task

Dear Ryan, we updated the training on this subject and people have been tested on the correctness of their understanding. The misunderstanding occurred because the definition of the term "non-commercial entity" was more specific than the term itself seemed to suggest. This was not detected due to the very low number of requests we receive. We will conduct additional internal investigations to highlight other potential areas of concern.

Flags: needinfo?(eva.vansteenberge)

I'm not particularly inspired by this incident report, but assigning to Wayne as I have no further follow-up questions.

Flags: needinfo?(wthayer)

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
Product: NSS → CA Program
Summary: GlobalSign - Wrong business category (Non Commercial Entity when should have been Private Organization) → GlobalSign: Wrong business category (Non Commercial Entity when should have been Private Organization)
Whiteboard: [ca-compliance] → [ca-compliance] [ev-misissuance]
You need to log in before you can comment on or make changes to this bug.