1. How your CA first became aware of the problem
On Friday, June 11 another CA sent us a report of 332 certificates it stated were misissued. We investigated them all in the next 24 hours and determined that 47 of them were misissued due to missing registration numbers in cases where those numbers were available. The remainder were issued correctly or previously revoked.
We revoked the 47 misissued certificates on June 16.
All times Eastern Daylight Time
June 11, 12:29 pm
We receive a report of 332 supposedly misissued certificates to our SSL abuse line. Investigation begins.
This is a time consuming investigation in which we must compare each certificate individually to the original documentation used to establish legal existence.
June 12, 11:44 pm
June 16, 11:00 am
The gap between the revocation date and this writeup is because we have been exploring options for programmatically defending against errors of this sort. In general we want to do that sort of analysis up front for new issues so that we can present a more complete picture to the community. Point 7 will go into our planned path forward.
3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem
These certificates are individual cases of an intermittent and unpredictable error. By way of example, even in the original error report, only 16% of the reported certificates were actually misissued.
4. A summary of the problematic certificates
47 certificates, issued between April 25, 2019 and June 2, 2021.
5. Certificate data
We have attached a list of affected certificates.
6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now
Sectigo does not presently have an automatic check in place to compare registration numbers in orders to their qualified information sources. Official government documentation varies widely in format and content, so such a programmatic check would be difficult to create.
This variability also introduces risk of error to the validation process. The rep may have trouble finding a registration number in the available documentation, and since companies don’t always have registration numbers, the rep may erroneously come to the conclusion that no such number is available when in fact it is. There is a great deal of variability in registration number information based on locality and business type, with QGISs occurring at the country, state, county, and even city level. The high false positive rate of the report that spawned this incident is an illustration of the difficulty in drawing these conclusions in a systematically reliable way.
In each of these cases it appears the agent failed to find the registration number in the source information.
7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future.
We plan to add a feature that compares the presence of a registration number to our expectations based on the QGIS we use. We will create a lookup table with each QGIS and whether or not to expect a registration number (a simple Yes/No). The system will compare orders against this record and block issuance in the case of a mismatch.
For any QGIS with no value in this table, the system will ignore this check. This gives us a chance to benefit from the check without requiring 100% coverage. That means we can start to benefit from this check before we complete the heavy lift of looking into and making a determination on every QGIS we have. It also means we can add a new QGIS without needing to know at that exact same moment whether or not to expect a registration number.
We intend to expand this fundamental mechanism to other checks including,
- QGIS-JOI match
- QGIS-businessCategory match
- QGIS-registration number formatting match (where possible)
And there may be others.
We expect this functionality to be live not later than the end of August and are working on a more specific release date. Setting that date has been holding up this writeup, but we don’t want to delay publishing it any longer. We’ll announce more specific plans as they become firm.