IdenTrust: EV TLS certificate with invalid Jurisdiction state for government entity
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: roots, Assigned: roots)
Details
(Whiteboard: [ca-compliance] [ev-misissuance])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Steps to reproduce:
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
As part of an internal effort reviewing compliance with the CAB F., on 02/11/2022 we have discovered an active EV TLS certificate for a government entity with the “jurisdictionStateOrProvinceName” field. As this entity updated their registration to operate in other states, this field must not be included in the certificate per this CA-Browser-Forum-EV-Guidelines-1.7.8:
9.2.4. Subject Jurisdiction of Incorporation or Registration Field
jurisdictionStateOrProvinceName -(if required)
These fields (jurisdictionLocalityName, jurisdictionStateOrProvinceName, jurisdictionCountryName) MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
2022-2-11 15:35 MST: Received internal message identifying this discrepancy.
2022-2-11 13:56 MST: Confirmed the issue is present in only one active EV TLS certificate and made customer aware of replacement revocation within 5 days. We also found another 3 certificates with the same issue but they were revoked prior this discovery.
2022-2-16 15:32 MST: Government entity revoked the certificate
2022-2-17 11:00 MST: Updated the validation procedure for government entities to clearly identify
the requirements for address state and jurisdiction of incorporation state.
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
Yes
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
4 certificates issued between 2021-12-8 and 2022-1-31
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
6081003196; 5966111205; 5761545602; 5917018283
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
There was a miss-understanding on the requirements of the ‘Formation State’ field. We had believed this was a required field that could not be blank. Because the agency’s headquarter address was in the state of Maryland, it was assumed this was the correct information to enter in this field.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Agents have been re-trained on the Baseline Requirements for government agencies. To take care of validating the jurisdiction state, an agent will be required to complete a checklist, essentially marking off that all requirements have been met per CA/B Forum Baseline Requirements. The checklist must not be completed by the person who vetted the organization, but by a different agent. The document must be digitally signed and uploaded to the account vetting screen.
The Extended Validation procedure has been updated with this new process effective 2022-02-17.
Updated•3 years ago
|
The certificates on item 5 above in the recomended format:
https://crt.sh/?sha256=13563f2f83c431ad6b5249bfe16efbc48a43cba55c4eb32a953cefce40b83ed7
https://crt.sh/?sha256=fda5e60b1da19c37ad31287c7832d15fc811d2a1b32470cc31d3b186be2ff287
https://crt.sh/?sha256=1827e4c2ed1ff2f7640938e6b04fb654593a299b282be78a66da8f1d64884f97
https://crt.sh/?sha256=deefee5e0245937d5286b91e14f37c1fe08d9a168a6f72e2fd2500b12977d269
We have no other pending activities for this incident and consider this issue resolved.
Just to confirm that we have no other pending activities for this incident other than including it in this year's WebTrust annual audit report.
Comment 4•3 years ago
|
||
I believe this can be closed and will do so on 13-Apr-2022 unless there are any important concerns to address.
Updated•3 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•