Closed Bug 1734131 Opened 3 years ago Closed 3 years ago

SwissSign: wrong address in EV certificate

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: michael.guenther, Assigned: michael.guenther)

Details

(Whiteboard: [ca-compliance] [ev-misissuance] [ov-misissuance])

Attachments

(1 file)

Bugzilla SwissSign_WrongAddressForEV.txt
6.56 KB, text/plain
Details

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

During our 12 months review of EV customers we detected that the street field in 80 EV certificates is wrong.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

All times are CEST
20211004 ~14:00 Review by our RA of the affected customer's EV fields (first pair of eyes)
20211005 ~09:00 Review by our RA (second pair of eyes): confirming the issue with the street address
Note: the confirmation by the second pair of eyes triggers the correction of the certificate data
20211005 10:00 Information Security & Compliance is informed and an investigation is started
20211005 10:30 Confirmation of issue by ISC. Start of the mis-issued certificate process is started
20211005 10:45 Informing our Auditors
20211005 11:00 List of valid mis-issued certificates issued in 2021
20211005 13:45 Opening Bugzilla for this incident

3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

As we have corrected the address we do not expect that any new certificates of this customer will be mis-issued.

4. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

There is a total of 80 certificates from one customer involved.

5. In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

Based on the current list

  • List of crt.sh links (see attachment). All links include the SHA256 fingerprint

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

At the time of onboarding of the customer the term 'Staatskanzlei' was interpreted as an address addendum. The 2021 revision of our internal review procedures does not allow such an address addendum for Governmental units anymore. As this customers 12 month review period is triggered in October we detected now.

7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

  • We inform the customer to request a new certificates and afterwards to revoke the certificates
  • Latest on Sunday, 20211010 09:00 CEST: If the customer has not revoked the certificate SwissSign will execute the revocation (within of 5 days of RA-confirmation
  • Update this ticket until the internal incident is closed
Flags: needinfo?(bwilson)
Assignee: bwilson → michael.guenther
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]
  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
    All times are CEST
    20211004 ~14:00 Review by our RA of the affected customer's EV fields (first pair of eyes)
    20211005 ~09:00 Review by our RA (second pair of eyes): confirming the issue with the street address
    Note: the confirmation by the second pair of eyes triggers the correction of the certificate data
    20211005 10:00 Information Security & Compliance is informed and an investigation is started
    20211005 10:30 Confirmation of issue by ISC. Start of the mis-issued certificate process is started
    20211005 10:45 Informing our Auditors
    20211005 11:00 List of valid mis-issued certificates issued in 2021
    20211005 13:45 Opening Bugzilla for this incident

Update to timeline
20211009 21:49 UTC we have revoked all 80 certificates

  1. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
  • We inform the customer to request a new certificates and afterwards to revoke the certificates
  • Latest on Sunday, 20211010 09:00 CEST: If the customer has not revoked the certificate SwissSign will execute the revocation (within of 5 days of RA-confirmation
  • Update this ticket until the internal incident is closed

Revocation is done. From our point of view there are no more open tasks.

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)

I will call this up on next Wed. 20-Oct-2021 and close it, unless there are questions still to be answered.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ev-misissuance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: