1710856 - DigiCert: Invalid localityName

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Michel Le Bihan]

Hello,
I found two certificates with localityName: Warszaw. That seems incorrect. The English name is Warsaw and the Polish one is Warszawa.
https://crt.sh/?id=1337422157
https://crt.sh/?id=1442444166

Comment 1

[Brenda Bernal]

Warszaw is an acceptable spelling. You can see it on almost 12K gov sites that spell it this way including cba.gov.pl/en/. We believe this is correct.

Comment 2

[Ryan Sleevi]

Yeah, this seems like RESOLVED/INVALID, so N-I for Ben for the close-out.

Note: Michel, you can always directly report these to the CA's problem reporting contact in their CP/CPS, which will get you a faster response than these incidents, as well as help raise any concerns with the CA's incident handling process.

Comment 3

[Michel Le Bihan]

You can see it on almost 12K gov sites that spell it this way

Could you please provide more examples? A Google search for that word does not return many results and it's possible that the several ones are also typos.

Comment 4

[Ben Wilson]

Even though this seems to be a somewhat minor issue of a cross between two accepted spellings, I'm not inclined to close it as Invalid at this time.

Comment 5

[Brenda Bernal]

There are many references online utilizing the spelling Warszaw. A general search will confirm this common alternate spelling. Here are some government sources as well as the University referencing "Warszaw".
Warszaw examples:
https://www.paih.gov.pl/files/?id_plik=17818
https://romania.trade.gov.pl/en/news/248504,warsaw-gastro-show-2018.html#
https://cba.gov.pl/en/
https://chooseabroad.com/listings/university-of-warszaw/
https://nabory.kprm.gov.pl/wyniki-naborow/mazowieckie/warszawa/specjalista,42479
https://www.poir.gov.pl/nabory/1-11/

If you translate online Warszaw from English to Polish, it shows the alternate spelling.

Comment 6

[George [:fozzie]]

Brenda: Although I'm not well acquainted with the Polish language, this does seem to be a typo of "Warszawa", indeed when you search for "Warszaw" this is corrected to "Warszawa". Many websites like https://en.wikipedia.org/wiki/Warsaw mention "Warszawa" and have no mention of "Warszaw". Looking at the examples you have posted, they seem to have also included this typo. For example, on many of these websites "Warszaw" is mentioned as part of an address, searching for this address does correct it to "Warszawa" and you will find more results with "Warszawa" unless you specifically filter to "Warszaw". Perhaps someone more knowledgeable about the Polish language can help us out here, perhaps someone from Certum?

Comment 7

[Brenda Bernal]

Here is our Incident Report:

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

DigiCert first became aware of the certificates when a bug was filed on May 12, 2021:
https://bugzilla.mozilla.org/show_bug.cgi?id=1710856

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

05/12/2021: Bug 1710856 filed. DigiCert provided an initial response to state that this is an alternate spelling for the locality as evidenced through an example government site we provided as reference.
05/14/2021: DigiCert provided additional information about government sites where the locality was consistent with the alternate spelling on the certificate. The community decided that these were still misspelled.
05/19/2020: The following certificates were revoked:
https://crt.sh/?id=1337422157
https://crt.sh/?id=1442444166

4. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

As stated in Bug 1710444, we deployed the address checking tool in Sept 2019. This tool identifies addresses using map data and verifies that the certificate country, state, and locality data are correct.

5. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

The two certificates were issued on 04/01/2019 and 05/07/2019.

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
   https://crt.sh/?id=1337422157
   https://crt.sh/?id=1442444166

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The certificates were issued prior to implementation of our integration with the address verification tool, which took place in September 2019. These two certificates were not identified as false positives during the previous review as the government sites listed Warszaw as a correct spelling.

7. List steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

We implemented an address checking tool in Sept 2019 that verifies the locality, state, and country combination before permitting issuance of a certificate. We revoked the two certificates indicated in this bug.

Comment 8

[Brenda Bernal]

Hi Ben, Is there anything else needed for this bug? Otherwise, we request closure.

Comment 9

[Ben Wilson]

I believe this matter can be closed and will anticipate doing so next Wednesday, 2-June-2021.