Here is our Incident Report:
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
DigiCert first became aware of the certificates when a bug was filed on May 12, 2021:
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
05/12/2021: Bug 1710856 filed. DigiCert provided an initial response to state that this is an alternate spelling for the locality as evidenced through an example government site we provided as reference.
05/14/2021: DigiCert provided additional information about government sites where the locality was consistent with the alternate spelling on the certificate. The community decided that these were still misspelled.
05/19/2020: The following certificates were revoked:
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
As stated in Bug 1710444, we deployed the address checking tool in Sept 2019. This tool identifies addresses using map data and verifies that the certificate country, state, and locality data are correct.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
The two certificates were issued on 04/01/2019 and 05/07/2019.
The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
The certificates were issued prior to implementation of our integration with the address verification tool, which took place in September 2019. These two certificates were not identified as false positives during the previous review as the government sites listed Warszaw as a correct spelling.
- List steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
We implemented an address checking tool in Sept 2019 that verifies the locality, state, and country combination before permitting issuance of a certificate. We revoked the two certificates indicated in this bug.