This is an incident report for one PSD2 QWAC issued by Buypass with an illegal value in the Subject Business Category. The actual value was set to ‘UN’ while it should have been ‘Private Organization’.
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
Buypass became aware of this by verifying the certificate content immediately after issuance.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
2020-04-21, 16:54 (CEST): The PSD2 QWAC was issued.
The certificate content was verified immediately after issuance and the illegal value was identified.
2020-04-21, 17:34: The certificate was revoked and replaced with a correct certificate.
We stopped issuance of all types of certificates with Business Category (i.e. EV, QWAC and PSD2 QWAC) and started investigating what the cause of the problem was.
2021-04-22, 09:30: We had defined the relevant corrective action including a bug fix in one of our applications.
2021-04-23, 11:29: The bug fix was deployed into production
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
Buypass stopped issuance of PSD2 QWACs and other types of certificates which includes Business Category immediately when becoming aware of the issue.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
We investigated all issued certificates and no other certificate with the same error have been issued.
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.spreadsheet, with one list per distinct problem.
The affected certificate is: https://crt.sh/?id=2708443813
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
The root cause for this error was a recent change in our registration systems. We do perform an automatic analysis of different types of organizations in order to categorize them as specific Business Categories according to EVG. In some cases, it is not possible to identify the real category and historically the Business Category has been left empty. The mentioned change was that the category was set to ‘UN’ (meaning unknown) in this case.
The Business Category is only used in high assurance certificates like EV, QWACs and PSD2 QWACs and validation specialists always validate these certificates. In case the Business Category has not been set or set to ‘UN’, the validation specialist will set this to its proper value (from a drop down list comprising only allowed values). So the actual value will be set manually, if it has not been set automatically.
We do also have controls in the issuance system to verify data to be embedded in a certificate, but for the Business Category, the control has only verified that the Business Category was not empty (e.g. based on our historical handling of Business Category). In addition, the actual certificate is always verified by linting before issuance.
In this case, the value of Business Category was still set to ‘UN’ at time of issuance, and our pre-issuance controls failed to identify this (as it was not empty). The linting service we use also did not identify this as an issue, so the certificate was issued.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
We have added a more strict check in our pre-issuance control for the Business Category value, only values as specified in EVG are accepted.
The fix for this has already been implemented and deployed to production.