Closed Bug 1667986 Opened 4 years ago Closed 3 years ago

Asseco DS / Certum: Invalid stateOrProvinceName field

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: aleksandra.kurosz, Assigned: aleksandra.kurosz)

References

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

Attachments

(1 file)

crt_sn_bug 1667986.txt
122.30 KB, text/plain
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36

Steps to reproduce:

Bug related to bug 1667684. We will back with report soon.

Assignee: bwilson → aleksandra.kurosz
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance]

1.How your CA first became aware of the problem

On Saturday, September 26th 2020, Certum received the report from third party about incorrect issues of certificates. It has been indicated that were issued certificates with incorrect completion of the stateOrProvinceName field.

  1. A timeline of the actions your CA took in response

2020-09-26 19:00 (UTC+2) - Notification is received via the email address revoke@certum.pl.

2020-09-26 20:00 (UTC+2) - The employee operating the mailbox accepts the request, verifies it regarding possible security impacts (found none), and sends for the second analysis stage.

2020-09-27 08:00 (UTC+2) - The second stage of analysis starts.

2020-09-27 12:00 (UTC+2) - The database is analyzed in terms of all the provisions of the "Russian Federation" in the stateOrProvinceName field. Certum prepares a list of affected certificates, all certificates are issued for one customer. The customer is informed about the problem.

2020-09-28 10:37 (UTC+2) - The reporter is informed that we received his report. The reason for the late response is described in bug number 1667684 (https://bugzilla.mozilla.org/show_bug.cgi?id=1667684).

2020-09-28 11:00 (UTC+2) – The stateOrProvinceName field is removed from customer’s dedicated SSL certificate profile.

2020-09-28 17:30 (UTC+2) - The customer starts issuing new certificates without the stateOrProvinceName field.

2020-09-29 09:00 (UTC+2) - The meeting with the customer is held to create a schedule of revoking incorrectly issued certificates. Certum decides to wait with the revocation the revocations of part of the certificates. The argumentation for that is described in the bug number 1668523 (https://bugzilla.mozilla.org/show_bug.cgi?id=1668523).

2020-09-30 11:50 (UTC+2) – Certum is informed by customer that the first batch of 786 certificates was replaced on customer’s servers.

2020-10-01 11:00 (UTC+2) - Certum revokes 777 certificates (9 certificates have expired meanwhile) from the first part. The remaining certificates will be revoked up to 2020-10-13 (EOD).

  1.        Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem

The certificate profile for the customer has been corrected and now Certum is no longer issuing certificates with stateOrProvinceName field value. All of incorrectly issued certificates will be revoked.

  1.        A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

The problem concerns certificates for one of our corporate customer. We conduct further analysis to confirm whether other certificates are also affected by this problem.

  1.        The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

The list of certificates is attached to this bug. The 981 from the request and 1221 from our analysis.

Additionally, the application also contained certificate with „Poland " in the field stateOrProvinceName (https://crt.sh/?serial=4bb5d6941cb0d5e4a7640d22ff8f9c79) due to a human error. This certificate has already been revoked.

  1.        Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The problem is due to human error of the person who created the certificate profile for our corporate customer. We have a dedicated profile for this customer, which can only contain defined values. Due to our mistake, the stateOrProvinceName field was incorrectly set to Russian Federation. All certificates from dedicated profile were issued for single customer and single organization, always with the same locality, state and country. Although value of the stateOrProvinceName was incorrect, it was consistent with country and for all customer’s certificates, and should not affect the organisation's identifiability.
The certificate profile has been corrected and our partner is gradually replacing the certificates with new ones.

  1.        List of steps your CA is taking to resolve the situation

  1.        We corrected dedicated certificate profile for our customer by removing field stateOrProvinceName

  2.        We added test scenarios that verify that the stateOrProvinceName field has not been added for this profile
Attached file crt_sn_bug 1667986.txt

All affected certificate has been revoked at 2020-10-09 22:45:50 UTC.

Late Revocation

2020-10-01 11:00 (UTC+2) - Certum revokes 777 certificates (9 certificates have expired meanwhile) from the first part. The remaining certificates will be revoked up to 2020-10-13 (EOD).

It seems like a separate incident report should be filed to cover this delayed revocation. Have I missed one being filed?

Root Cause Analysis

In Comment #4:

As a result of the analysis, we found 15 certificates with a country in the stateOrProvince Name field:

In Comment #3:

All affected certificate has been revoked at 2020-10-09 22:45:50 UTC.

In Comment #1:

We have a dedicated profile for this customer, which can only contain defined values. Due to our mistake, the stateOrProvinceName field was incorrectly set to Russian Federation. All certificates from dedicated profile were issued for single customer and single organization, always with the same locality, state and country.

The certificates in Comment #4 do not seem to share the same root cause of Russian Federation. So what was the actual root cause for these?

Flags: needinfo?(aleksandra.kurosz)

It seems like a separate incident report should be filed to cover this delayed revocation. Have I missed one being filed?

We have described the delay in revoking in Bug 1668523 https://bugzilla.mozilla.org/show_bug.cgi?id=1668523

The certificates in Comment #4 do not seem to share the same root cause of Russian Federation. So what was the actual root cause for these?

Additional revoked certificates were issued incorrectly due to human mistakes made during verification.
Each case was thoroughly verified and interviews were conducted with the validation specialists who issued them.
To prevent errors in the future, we plan to change the presentation of every certificate fields in our system before Validation Specialist accept certificate to issue, to pay more attention to the correctness of the fields.

Flags: needinfo?(aleksandra.kurosz)

If there are no additional questions, please close this bug.

Flags: needinfo?(bwilson)

I will close this bug on Wed. 3-Feb-2021.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
See Also: → 1709392
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: