Asseco DS / Certum: Invalid stateOrProvinceName field
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: aleksandra.kurosz, Assigned: aleksandra.kurosz)
References
Details
(Whiteboard: [ca-compliance] [ov-misissuance])
Attachments
(1 file)
122.30 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Steps to reproduce:
Bug related to bug 1667684. We will back with report soon.
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
1.How your CA first became aware of the problem
On Saturday, September 26th 2020, Certum received the report from third party about incorrect issues of certificates. It has been indicated that were issued certificates with incorrect completion of the stateOrProvinceName field.
- A timeline of the actions your CA took in response
2020-09-26 19:00 (UTC+2) - Notification is received via the email address revoke@certum.pl.
2020-09-26 20:00 (UTC+2) - The employee operating the mailbox accepts the request, verifies it regarding possible security impacts (found none), and sends for the second analysis stage.
2020-09-27 08:00 (UTC+2) - The second stage of analysis starts.
2020-09-27 12:00 (UTC+2) - The database is analyzed in terms of all the provisions of the "Russian Federation" in the stateOrProvinceName field. Certum prepares a list of affected certificates, all certificates are issued for one customer. The customer is informed about the problem.
2020-09-28 10:37 (UTC+2) - The reporter is informed that we received his report. The reason for the late response is described in bug number 1667684 (https://bugzilla.mozilla.org/show_bug.cgi?id=1667684).
2020-09-28 11:00 (UTC+2) – The stateOrProvinceName field is removed from customer’s dedicated SSL certificate profile.
2020-09-28 17:30 (UTC+2) - The customer starts issuing new certificates without the stateOrProvinceName field.
2020-09-29 09:00 (UTC+2) - The meeting with the customer is held to create a schedule of revoking incorrectly issued certificates. Certum decides to wait with the revocation the revocations of part of the certificates. The argumentation for that is described in the bug number 1668523 (https://bugzilla.mozilla.org/show_bug.cgi?id=1668523).
2020-09-30 11:50 (UTC+2) – Certum is informed by customer that the first batch of 786 certificates was replaced on customer’s servers.
2020-10-01 11:00 (UTC+2) - Certum revokes 777 certificates (9 certificates have expired meanwhile) from the first part. The remaining certificates will be revoked up to 2020-10-13 (EOD).
-
Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem
The certificate profile for the customer has been corrected and now Certum is no longer issuing certificates with stateOrProvinceName field value. All of incorrectly issued certificates will be revoked.
-
A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
The problem concerns certificates for one of our corporate customer. We conduct further analysis to confirm whether other certificates are also affected by this problem.
-
The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
The list of certificates is attached to this bug. The 981 from the request and 1221 from our analysis.
Additionally, the application also contained certificate with „Poland " in the field stateOrProvinceName (https://crt.sh/?serial=4bb5d6941cb0d5e4a7640d22ff8f9c79) due to a human error. This certificate has already been revoked.
-
Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
The problem is due to human error of the person who created the certificate profile for our corporate customer. We have a dedicated profile for this customer, which can only contain defined values. Due to our mistake, the stateOrProvinceName field was incorrectly set to Russian Federation. All certificates from dedicated profile were issued for single customer and single organization, always with the same locality, state and country. Although value of the stateOrProvinceName was incorrect, it was consistent with country and for all customer’s certificates, and should not affect the organisation's identifiability.
The certificate profile has been corrected and our partner is gradually replacing the certificates with new ones.
-
List of steps your CA is taking to resolve the situation
-
We corrected dedicated certificate profile for our customer by removing field stateOrProvinceName
-
We added test scenarios that verify that the stateOrProvinceName field has not been added for this profile
Assignee | ||
Comment 2•4 years ago
|
||
Assignee | ||
Comment 3•4 years ago
|
||
All affected certificate has been revoked at 2020-10-09 22:45:50 UTC.
Assignee | ||
Comment 4•4 years ago
|
||
As a result of the analysis, we found 15 certificates with a country in the stateOrProvince Name field:
https://crt.sh/?serial=2029df5cf30feeea5affecdb37c07938
https://crt.sh/?serial=26ea96b773d89d7315cf96add5ad2f12
https://crt.sh/?serial=4e0bf4e3e3fa1fb6754b25e5ce77c201
https://crt.sh/?serial=5211510ac9c616c5e895ed28106c8509
https://crt.sh/?serial=6d5ed6483b16aa8cb7eaf78f6cdec48c
https://crt.sh/?serial=67617b9e0586baa339fd821674965fda
https://crt.sh/?serial=3683710db49d6fd141b0a7c7df4fda93
https://crt.sh/?serial=4cc9b5b25455a3cc0b22504e30b4f0d8
https://crt.sh/?serial=559d20f550d679bc181fbbdb11632362
https://crt.sh/?serial=6c089865ccc831c260a134dabba32dff
https://crt.sh/?serial=77f5f636c6bd0ec06477674e7f210176
https://crt.sh/?serial=059b4ce801055d391b42881ff0d1f805
https://crt.sh/?serial=7dda3494737c3918913401331625f51d
https://crt.sh/?serial=73262a6586c1a8cd8661d13c5ebff7ff
https://crt.sh/?serial=01777a954266ea7187ba90f64769c693
All these certificates have been revoked, the last one: 2020-10-30 14:10:10 UTC
Comment 5•3 years ago
|
||
Late Revocation
2020-10-01 11:00 (UTC+2) - Certum revokes 777 certificates (9 certificates have expired meanwhile) from the first part. The remaining certificates will be revoked up to 2020-10-13 (EOD).
It seems like a separate incident report should be filed to cover this delayed revocation. Have I missed one being filed?
Root Cause Analysis
In Comment #4:
As a result of the analysis, we found 15 certificates with a country in the stateOrProvince Name field:
In Comment #3:
All affected certificate has been revoked at 2020-10-09 22:45:50 UTC.
In Comment #1:
We have a dedicated profile for this customer, which can only contain defined values. Due to our mistake, the stateOrProvinceName field was incorrectly set to Russian Federation. All certificates from dedicated profile were issued for single customer and single organization, always with the same locality, state and country.
The certificates in Comment #4 do not seem to share the same root cause of Russian Federation. So what was the actual root cause for these?
Assignee | ||
Comment 6•3 years ago
|
||
It seems like a separate incident report should be filed to cover this delayed revocation. Have I missed one being filed?
We have described the delay in revoking in Bug 1668523 https://bugzilla.mozilla.org/show_bug.cgi?id=1668523
The certificates in Comment #4 do not seem to share the same root cause of Russian Federation. So what was the actual root cause for these?
Additional revoked certificates were issued incorrectly due to human mistakes made during verification.
Each case was thoroughly verified and interviews were conducted with the validation specialists who issued them.
To prevent errors in the future, we plan to change the presentation of every certificate fields in our system before Validation Specialist accept certificate to issue, to pay more attention to the correctness of the fields.
Assignee | ||
Comment 7•3 years ago
|
||
If there are no additional questions, please close this bug.
Comment 8•3 years ago
|
||
I will close this bug on Wed. 3-Feb-2021.
Updated•3 years ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Description
•