Incident Report – Mozilla Policy Violation (Failure to properly encode Subject name)
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
DigiCert conducted an internal audit of our certificates for linter issues and identified ones with certificates that contained one of the following errors:
- organization names that exceed 64 characters – 31 certs
- non informational values in the OU field (with a "-") – 2 certs
2.A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
February 13, 2020 – Compliance analytics team ran linter analysis on existing active certificates
February 14, 2020 – Initial analysis results provided to Digicert Support team to investigate
February 17, 2020 – Confirmed list of certificates with errors that required revocation
February 21, 2020 – List of 33 active certificates revoked (5 days)
February 22, 2020 – I posted on https://bugzilla.mozilla.org/show_bug.cgi?id=1576013 the revocation action taken with a list of crt.sh links
February 26, 2020 – Ryan Sleevi informed us that he opened Bug 1618256, to file a separate incident report.
3.Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
On 05-April-2017, an issue with common name and organization name exceeding the max length was identified in the moz.dev.security forum; a resulting bug was filed (https://bugzilla.mozilla.org/show_bug.cgi?id=1353827). DigiCert resolved the issue by patching on 09-May-2017. At that point, DigiCert’s systems would block the error of exceeding max length on common name and organizational name.
4.A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
List of certificates are above: https://bugzilla.mozilla.org/show_bug.cgi?id=1618256#c1
First issuance: 13-December-2016
Last issuance: 03-April-2017
5.The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
See 4 above
6.Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
As indicated in 3) above, the systems were patched to block issues with max length exceeding 64 characters for common and organization name. However, the fix was made going forward to block new cert issuance. The scan was conducted on common names that exceeded max length to identify any other problematic ones at that time. The scan was not conducted on organization name length issues which is the subject of this incident, along with non-informational value in the OU field.
7.List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Our Compliance function has been focused in the last 4.5 months on finding certificate anomalies from our issuance that we need to correct. The methodology with our analysis is to find the error condition and conduct a comprehensive sweep over the entire population of active certificates. As part of our incident management approach, our goal is to continue to identify these types of issues, conclusively and comprehensively. We expect that this approach will address the gap of remediating all certs moving forward.