- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in the MDSP mailing list, a Bugzilla bug, or internal self-audit), and the time and date.
In internal routines related to email validation Telia CA found exceptional domain validation information where email address was one of the five standard ones but it wasn’t using same domain. We decided to verify all domains validated by email. We found few similar cases. All issues happened in early 2020 when Telia still was using old validation software.
A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
Thu 2021-10-14 16:00 We discovered one pre-validated domain object where information was confusing because it wasn’t either one of the 5 static ones or from DNS contacts.
Thu 2021-10-14 16:00-18:00 We evaluated the problem. It was identified to be happened only to few domains during 03-06/2020. All except one were Telia's own domains.
Fri 2021-10-15 8:00-15:30 We continued evaluation. We found that this was bug in our previous validation software. In multi-SAN case in Telia's SSL ordering system it could use same email target email address for all unvalidated domains in the same request. Thus the domain could be approved by the wrong hostmaster. Current software hasn't similar erroneous behavior. Also was found that there are 7 valid certificates that were still using those illegally validated domains. All illegal domains are already expired so new illegal certificates can't be created anymore. We started a process to revoke all valid certificates that were still using the illegally validated domains.
Fri 2021-10-15 15:45 Mozilla incident was created
Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.
Change in domain reuse period 1 Oct 2021 expired all problematic domains from early 2020 so Telia has stopped creating illegal certificates.
- In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.
7 certificates using these illegally validated domains are still valid. ~30 were using them at some point of time.
- In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.
Certificates that used domains that were illegally validated were:
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Telia's previous order validation software that was closed October 2020 had a bug when sending emails to host masters. Bug triggered only in special circumstances that were undetected by all tests and users. In the most common Telia process customers are using self-service system that hadn't any problems. Email method is not the most used method. In ordering system domains are typically prevalidated and only afterwards customer will set orders. Bug required that ordering system was used and email method was used and there were several previously unvalidated domains in same CSR that were using different email details. In Telia CA history there have been only 3 such orders. They caused 7 domains to be illegally validated. It is hard to detect this kind of error when it requires rare circumstances and the actual host master is practically from the same team (from the same company).
- List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
In addition to the steps listed above (e.g. revocations) Telia will create a new monitoring tool next week to create alarm if email will be sent to different domain than the target domain. Also testing will be improved from now on to include use cases like the one that triggered this bug.