Closed Bug 1600301 Opened 6 years ago Closed 6 years ago

Asseco DS / Certum: EV Certificates issued with wrong Business Category

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: aleksandra.kapinos, Assigned: aleksandra.kapinos)

Details

(Whiteboard: [ca-compliance] [ev-misissuance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

Steps to reproduce:

  1. How your CA first became aware of the problem

On Monday, November 25th 2019, Certum was notified by a third party through the report abuse email address that 11 EV SSL certificates were discovered identified the organization named in the certificate as being a "Non-Commercial Entity".

  1. A timeline of the actions your CA took in response
    25th of November, 6pm GMT +1 : notification came in via the email address: revoke@certum.pl
    26th of November, 7am GMT +1: notification was forwarded to the quality team, manual review of all certificates containing “Non-Commercial Entity” as business category started.
    27th of November, additional review to confirm that all the certificates with wrong “Non-Commercial Entity” are found. We found another certificate that was not included in report from third party.
    28th of November, Customers are notified that they need to include a new request and revoke a problematic certificates.
    29th of November, We create this Bug,
    .

  2. Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem
    Confirmed – we have reviewed the all EV certificate containing “Non-Commercial Entity”.
    Validation Specialists have been trained in which cases can use “non-commercial entity”.
    At the moment, we are waiting for the approval from our clients to revoke the wrong certificates.

  3. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Number of certs: 12.
First issued: 08.06.2018
Last issued: 21.11.2019

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?id=1622278197
https://crt.sh/?id=1406935210
https://crt.sh/?id=1711036462
https://crt.sh/?id=551775631
https://crt.sh/?id=1845363882
https://crt.sh/?id=1242460442
https://crt.sh/?id=730480417
https://crt.sh/?id=1704539313
https://crt.sh/?id=520909512
https://crt.sh/?id=1694040014
https://crt.sh/?id=1131815753
https://crt.sh/?id=2136871361

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

It was a misunderstanding about the nature of business category for the foundations, because they are non-profit organizations (according to 8.5.5. in Guidelines EV) . We trained Validation Specialists about categories of business category and we will update documentation with a description of business categories in accordance with EV Guidelines to 6th of December.

  1. List of steps your CA is taking to resolve the situation
  1. Review all the certificates with the category “Non- commercial entity”,
  2. Inform client that they need to include a new request,
  3. Trained Validation Specialists about business category,
  4. Revoke all the problematic certificates,
  5. Update documentation with description of business categories in accordance with EV Guidelines.

We will update this bug when all certificates will be revoked.

Assignee: wthayer → aleksandra.kapinos
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance]

I've seen a number of issues, from CAs, referring to this as a "misunderstanding" about the EV requirements. While this may be a true statement, I don't think it gets sufficiently into understanding the systemic root causes.

For example, what other misunderstandings about the EV guidelines may exist? What steps are being taken to re-evaluate the existing processes and procedures - for all requirements - to make sure there's a correct understanding, or to clarify? What were the old internal documentation/requirements, how long had they been introduced, when/did they get periodically reviewed?

I don't think it's sufficient to just say "We misunderstood", but to try and understand how these misunderstandings happen, how they aren't detected, and looking for opportunities to improve this, both as an individual CA and as an industry, going forward.

Flags: needinfo?(aleksandra.kapinos)

We did an additional review of procedures in terms of issuing EV certificates and we did not detect any additional misunderstandings.
Standard reviews of procedures take place every year. We have also planned to the end of a year a special review of procedures that are related to the interpretation of BR.
After this situation we will pay more attention to standard documentation reviews and to Validation Specialists understanding of procedures, on 6 of December, we updated the incorrect contents in the procedure to meet current guidelines for EV regarding buissnes category.
Of course, all problematic certificates have been already revoked.

Flags: needinfo?(aleksandra.kapinos)
Flags: needinfo?(wthayer)

It appears that all questions have been answered and remediations is complete.

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ev-misissuance]
You need to log in before you can comment on or make changes to this bug.