Closed Bug 1600114 Opened 5 years ago Closed 4 years ago

Camerfirma: EV Certificates issued with wrong Business Category

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ana.lopes, Assigned: ana.lopes)

Details

(Whiteboard: [ca-compliance] [ev-misissuance])

Attachments

(1 file)

serials.txt
2.38 KB, application/octet-stream
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
    Camerfirma became aware of the problem due to a communication from a third party (thanks to Michael Lettona from Digicert) on November 25th.
    We examined the list of certificates and we detected 7 active certificates with the wrong business category. Five of them have “Non-Commercial Entity” instead of the correct value that they should have “Private Organization, and the other two have “Non-Commercial Entity” instead of “Government Entity”.

  2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
    Nov 25th, 2019: We started to examine the certificates with this problem and possible causes of that misinterpretation
    Nov 26th, 2019: The legal department elaborated a report with the conclusions of the guideline for EV certificates to avoid the problem in future occasions and examined the new bugs open in Bugzilla to detect if there were more organisations affected with this problem.
    We contacted our affected clients to establish the date we can revoke the certificates without affect their services. We got to contact 6 of the 7 clients and we they agreed to revoke their certificates and issue new ones to substitute them.
    Nov 27th, 2019: We confirmed we do not have more affected certificates with that problem, but we started to investigate other categories to verify that there are not more certificates with the wrong category.
    We created new certificates to substitute the wrong ones for and we are waiting for the acceptation from the clients to revoke the wrong certificates.
    Nov 28th, 2019: We tried to contact the last client, but it has not been possible so far.
    We will revoke the wrong certificates on Nov 29th, as soon as our clients can operate with their new certificates.

  3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
    The value has been corrected for all new certificates issued in the future and after revoking the problematic ones we will not have certificates in use with this problem anymore.
    At the moment, we are waiting for the approval from our clients to revoke the wrong certificates.

  4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
    There are 7 certificates affected, issued between 2018-03-23 and 2019-09-17.

  5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
    https://crt.sh/?id=827152180
    https://crt.sh/?id=919716177
    https://crt.sh/?id=966383281
    https://crt.sh/?id=934198087
    https://crt.sh/?id=825702240
    https://crt.sh/?id=481505275
    https://crt.sh/?id=1902597483

  6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
    The Registration Authority misunderstood the business category for the foundations because they are non-profit organizations (according to the article 8.5.5. in the document of Guidelines EV) because they omitted the international nature of the organization.
    Referring to the entities belonged to the Govern d’Andorra, they were classified as non-commercial entity instead of “Government entity” due to a misinterpretation of the special regulation of the institutions in that country.

  7. List of steps your CA is taking to resolve the situation
    1- Review all the certificates with the category “Non- commercial” to assure this situation does not happen in more certificates (done)
    2- Inform our affected clients about the situation (done)
    3- Change the value of the category for the new certificates to be issued (done)
    4- Create a guideline to identify the different kind of organisations to avoid human errors in the future (done)
    5- Create new certificates to substitute the wrong ones (done for 6 certificates and waiting for the confirmation from the other client)
    6- Revoke all the problematic certificates: (pending)
    7- Review the category off all certificates to assure that there are not more certificates with a wrong business category (we will give you more details about the situation by Dec 5th, 2019.)

Assignee: kwilson → ana.lopes
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Component: CA Certificate Root Program → CA Certificate Compliance
Ever confirmed: true
QA Contact: kwilson → wthayer

All the certificates with wrong business category detected were revoked on Nov 29th.
We continue reviewing the category of the rest of certificates in order to detect other possible cases and we will give more details by Dec 5th.

We have finished our investigation about the certificates issued with a wrong category and we have not detected more wrong cases with the category "Non comercial entity".

We will continue investigating to know if the problem exists also with other categories and we will inform you by the end of next week.

As we told you last week, we have continued with our review to detect other possible wrong cases.

Due to the fact that we detected some cases associated to the Govern of Andorra, we have followed reviewing the rest on their certificates and we have detected that 122 certificates of the Govern of Andorra have a wrong category. They have “Business entity” instead of “Government Entity”. Please, find the list of certificates in the attached file.

We want to emphasize that the error was due to a misinterpretation of the term “Business entity” by the RA operators and we can assure that they received specific instructions about it on the Dec 27th to avoid the problem in the process for future occasions.

We have already informed the client about the situation to establish a revocation and substitution plan and at the moment we have 22 certificates revoked and substituted by new ones and other 20 substituted and waiting for approval to be revoked.

We will continue informing you about updates.

Attached file serials.txt

We have already revoked all the misissued certificates (the last misissued certificate was revoked on Dec 17th 17:57:03 GMT) and we have not detected more cases during our review.
We want to take the opportunity to correct a mistake with the date that we made in the last comment. We meant “we can assure that they received specific instructions about it on Nov 27th to avoid the problem in the process for future occasions” (instead of Dec 27th).

Ana: will you please explain what has been done to prevent similar problems from happening in the future?

Flags: needinfo?(ana.lopes)

Hi Wayne,
We have conducted the following actions to prevent similar errors in the future:

  1. Creation of a guideline to identify the differences between the different type of organisations. This guideline was distributed among the RA operators on Nov 27th
  2. Internal training to all the RA operators to clarify all the concepts included in the guideline Nov 28th
  3. Creation of a new version of the manual that includes all the information about the different organisation categories to be chosen during the verification process on Dec 2nd
  4. Incorporation of the concepts included in the guideline in the capacitation course for new RA operators. There has been included new questions in the test related to this matter (The updates of the course will come into effect from Jan 1st)
Flags: needinfo?(ana.lopes)
Whiteboard: [ca-compliance]

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ev-misissuance]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: