Open Bug 1746421 Opened 5 months ago Updated 2 months ago

PKIoverheid: (KPN) Incorrect Subject OrganizationName

Categories

(NSS :: CA Certificate Compliance, task)

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: david.weissenberg, Assigned: david.weissenberg)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53

Logius PKIoverheid received the following e-mail on 12-15-2021 13:53 (local time):

Hi, Please may I direct your attention to the following certificates: https://crt.sh/?q=Dienst+Uitvoering+Onderwijs+test
I am unable to find the company shown on the certificate and believe it to be incorrect information. Please revoke these certificates and post a report on Mozilla's Bugzilla.

We are in the proces of analyzing the issues and will file a complete Post Mortem as soon as possible.

Assignee: bwilson → david.weissenberg
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

  • All times in UTC +2h

On December 6th 2021 13:43 an e-mail was first sent to Logius (servicecentrum@logius.nl). This e-mail did not reach the PKIoverheid team since the wrong contact information was used. According to the KPN PKIoverheid CPS, the following contactinformation can be used to reach TSP KPN:

To notify KPN of a service outage or report a suspected private key compromise, certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to certificates, please contact: pkio.servicedesk@kpn.com

To request an urgent certificate revocation outside office hours (Mon-Fri, 9h-17h), please contact the servicedesk: +31 88 – 661 06 21 (only for a revocation request) esd.cic@kpn.com

On December 15th 13:18, the e-mail was resent, this time to a former Logius PKIoverheid team-member. This former team member forwarded the e-mail to the current Logius PKIoverheid team on December 15th on 16:33.

On December 16th, 2021 13:53, KPN is informed by Logius (policy owner PKIoverheid) that Logius received an abuse report regarding 16 issued server certificates.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
Timeline (Times in UTC +2h)

Date Time Action
06-12-2021 13:43 Abuse Report is sent to Logius
15-12-2021 13:53 Reminder is sent to Logius
16-12-2021 13:27 Logius informed KPN
16-12-2021 13:59 KPN started analysis
16-12-2021 15:10 KPN provides first results of analysis to Logius
16-12-2021 15:30 Based on the first analysis of KPN, Logius opened bug 17464221
16-12-2021 15:35 KPN informed the validation team and the organization ‘Dienst Uitvoeringsorganisatie Organisatie’
16-12-2021 16:15 KPN received confirmation of ‘Dienst Uitvoeringsorganisatie Organisatie’ to revoke the certificates
16-12-2021 17:41 The 16 certificates are revoked by KPN
16-12-2021 17:59 KPN informed Logius
17-12-2021 09:00 KPN started to adjust the documented validation instruction and started investigation to determine whether there are more certificates with this issue
17-12-2021 14:16 Modified validation instruction released
20-12-2021 09:45 Determined that no other server certificates are issued with this issue

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

KPN has immediately amended the validation instruction in order to prevent issuing new certificates with this issue.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

KPN issued 16 certificates with organizationName ‘Dienst Uitvoering Onderwijs test’. This organization name does not correspond to the Dutch trade register of the Chamber of Commerce.

First certificate is issued on 02-03-2021 and the last certificate issued on 06-07-2021. These certificates are all revoked on December 16th 2021 17:41.

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

There were 16 problematic certificates: https://crt.sh/?q=Dienst+Uitvoering+Onderwijs+test

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

For server certificates with an Organization Identifier Number (OIN), the OIN is validated by KPN on the basis of the Central OIN Consultation Facility of the Dutch Ministry of Internal Affairs (https://portaal.digikoppeling.nl/registers/). In addition to the OIN number, the organization name is also included in the Central OIN Consultation Facility and these names normally correspond to the names in the trade register of the Chamber of Commerce. Since 21 January 2021 the organisation ‘Dienst Uitvoering Onderwijs test’ has been included in this facility, but this organization name is not listed in the trade register of the Chamber of Commerce. This was not noticed during the validation process of the problematic certificates.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

The 16 problematic certificates are all revoked on December 16th 2021 17:41.

The validation instruction has been adjusted so that only the OIN number is validated on the basis of the Central OIN Consultation Facility and that the organzation name always corresponds with the trade register of the Chamber of Commerce and may not be taken from the Central OIN Consultation Facility.

Logius is looking in to the possibility of checking issued certificate with the post-issuance linting tool against the trade register of the Chamber of Commerce.

Type: enhancement → task

As described in the post mortem, KPN has adjusted its validation method to avoid reoccurrence. We believe this bug can be closed.

Logius is looking in to the possibility of checking issued certificate with the post-issuance linting tool against the trade register of the Chamber of Commerce.

Could you provide an update on the status of this?

Flags: needinfo?(david.weissenberg)

(In reply to David Weissenberg from comment #2)

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

There were 16 problematic certificates: https://crt.sh/?q=Dienst+Uitvoering+Onderwijs+test

Just providing a link to a query is not sufficient. The results could change, and it doesn't show that you have done the necessary steps of recording the the complete certificate data.

Hello Matthias and Mathew,

First of all our apologies for the delay in the update.
In reply to Mathew from comment #5 we hereby present the full list of 16 affected certificates.

https://crt.sh/?id=4820065889
https://crt.sh/?id=4819632434
https://crt.sh/?id=4819594569
https://crt.sh/?id=4819594457
https://crt.sh/?id=4814497684
https://crt.sh/?id=4814497639
https://crt.sh/?id=4814497515
https://crt.sh/?id=4793525538
https://crt.sh/?id=4684344665
https://crt.sh/?id=4542115360
https://crt.sh/?id=4542111189
https://crt.sh/?id=4433640581
https://crt.sh/?id=4433595407
https://crt.sh/?id=4345337619
https://crt.sh/?id=4152290535
https://crt.sh/?id=4152290354

Furthermore, in reply to Matthias in comment #4 we can confirm we are in the process of implementing a fully automated post-issuance check against the Chamber of Commerce registration of Dutch busineses and the Dutch State Almanac for government organisations. For now we cary out spot checks on the issued certificates.

Weekly updates on the progress will be posted.

Flags: needinfo?(david.weissenberg)

Currently we have no updates with regards to the automated post-issuance checking. Our technical specialists are still working on that but it isn't fully ready yet.

It took us a little bit longer then expected but the fully automated post-issuance checks are in place. All issued certificates have been checked. Based on the outcome of this check, we are developing guidelines on the usage of locally accepted common abbreviations and variations, as well as formalizing which classes of government entities (registered in the Formal government organizational register ("Staatsalmanak") and not necessarily at the Chamber of Commerce) are allowed to be used as subject:organization names. This guideline will probably undergo some more iterations after feedback rounds with our TSPs. Our current estimate is this guideline will be finished at the end of April.

You need to log in before you can comment on or make changes to this bug.