Closed Bug 1710444 Opened 3 years ago Closed 3 years ago

DigiCert: Invalid stateOrProvinceName

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: michel, Assigned: brenda.bernal)

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

Hello,
I found two certificates with stateOrProvinceName: MALTA:
https://crt.sh/?id=1826547718
https://crt.sh/?id=1228500308

Assignee: bwilson → brenda.bernal
Status: NEW → ASSIGNED
Whiteboard: [ca-compliance]

These are OV certs that appropriately have Malta as the State according to https://en.wikipedia.org/wiki/ISO_3166-2:MT.

(In reply to Brenda Bernal from comment #1)

These are OV certs that appropriately have Malta as the State according to https://en.wikipedia.org/wiki/ISO_3166-2:MT.

Could you tell us which subdivision you're mentioning? More specifically, which ISO_3166-2:MT number? I can't seem to find 'Malta' as-is in the list.

If you're referencing either Rabat Malta or Żebbuġ Malta, those names should be included in the certificate in full, just like how 'York' is incomplete if referencing 'New York' (the state in the US of A).

Flags: needinfo?(brenda.bernal)

In https://bugzilla.mozilla.org/show_bug.cgi?id=1709392 another CA is revoking certificates for that reason. It would be strange if one CA thinks that such values are correct and another one thinks that they are incorrect.

We are working on a response and will provide it here shortly.

Flags: needinfo?(brenda.bernal)

We are filing the following incident report.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

DigiCert first became aware of the certificates when a bug was filed on May 10, 2021: https://bugzilla.mozilla.org/show_bug.cgi?id=1710444.
Note that this bug relates to https://bugzilla.mozilla.org/show_bug.cgi?id=1576013 as the certificates identified in the bug contain bad address information. During that bug, DigiCert integrated a service into its validation process to verify all address information against an address checking tool. This fix was deployed in September 2019. Both certificates identified in this bug and the one additional certificate identified by DigiCert below were issued before Sept 2019, when the software was deployed. All three certificates were flagged during subsequent certificate scans but were labelled as false positives.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

05/10/2021: Bug 1710444 filed. DigiCert provided an initial response based on the verification data recorded prior to issuance. As Malta is a state in Malta, we believed this was a false positive. However, we discovered the state and locality are not congruent after another review. At that time, we initiated a review to see if any other validations marked as false positives had a similar mismatch of state and locality.

05/12/2021: We completed our review of the scan results. Three certificates were identified as warranting further review. Two were the Malta certificates identified in this bug and one was a certificate issued with inaccurate information in Mexico (https://crt.sh/?id=1826851928). We scheduled revocation and sent notice to impacted subscribers.

05/14/2020: Planned revocation of the following certs:
https://crt.sh/?id=1826547718
https://crt.sh/?id=1228500308
05/17/2021: Planned revocation for https://crt.sh/?id=1826851928. This is five days from when we identified the certificate issue on 5/12/2021.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We deployed the address checking tool in Sept 2019. This software identifies addresses using map data and verifies that the certificate country, state, and locality data are correct. The three certificates identified in this bug were issued before the address checking tool was deployed in Sept 2019. In 2019-2020, DigiCert scanned all certificates against the address checking tool but identified a substantial number of false positives, primarily related to translation and transliteration of information. The address checking tool flagged these three certificates during the previous review. We identified these three as false positives as the localities and states named in the certificate were identified as valid. In particular, Malta was identified as an acceptable abbreviation for Rabat Malta. After an inspection, we determined that the locality in these three certificates does not match the state identified in the certificate, meaning the certificates have a mismatch in locality-state and should be revoked, regardless of whether Malta is allowed as a shorthand designation.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

The three certificates were issued on 02/19/2019, 08/26/2019, and 08/28/2019.

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?id=1826547718
https://crt.sh/?id=1228500308
https://crt.sh/?id=1826851928

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The certificates avoided detection as each certificate was issued prior to implementation of our integration with the tool in Sep 2019. Although we reviewed each certificate against the address checking tool, these three certificates were identified as false positives because the flag was on the state not being a complete state name. As previously sent to the CAB Forum and discussed on this list, state is not a defined term in the Baseline Requirements or in the Mozilla policy. We have previously proposed ISO 3166-2 as the standard definition of state. That proposal was not approved or adopted by either body. We have primarily used ISO 3166-2 as an allow-list guideline but allow other listings, including government designations and address checked names from our tool. We believe this fully complies with the baseline requirements due to the lack of any definition of “state” in relevant policy documents. We do not require an exact match to ISO.

During our review of certificates, we allowed both Malta and Aguascalientes, including common abbreviations. The system flagged these three certificates because of the abbreviated name. Upon further review, we discovered that in addition to the abbreviated names, the locality-state do not match up. Therefore, we are revoking all three certificates.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

We implemented an address checking tool in Sept 2019 that verifies the locality, state, and country combination before permitting issuance of a certificate. For previously issued certificates we re-evaluated the data based on bad state-locality combinations and are revoking the identified certificates.

Hi Ben, Is there anything else needed before we can close this bug?

Flags: needinfo?(bwilson)

I believe this matter can be closed and will anticipate doing so next Wednesday, 2-June-2021.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.