Closed Bug 1766255 Opened 2 years ago Closed 2 years ago

SwissSign: Mis-Issuance of S/MIME certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: michael.guenther, Assigned: michael.guenther)

Details

(Whiteboard: [ca-compliance] [uncategorized])

Attachments

(2 files)

CertificateList_part1
8.88 MB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
CertificateList_part2
3.65 MB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in the MDSP mailing list, a Bugzilla bug, or internal self-audit), and the time and date.
In preparation of the re-publishing of our CPR document we conducted an internal audit of the end-user certificate profiles. The analysis meeting took place on Monday, 20220425 at 8 CEST. We detected that during our last revision the end-user profile for LCP certificates with an organization entry was deleted from the published CPR SMIME.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

20211011
Republishing of CPR S/MIME SwissSign_CPR_SMIME to include the new issuing CAs of root "SwissSign RSA SMIME Root CA 2021-1" (https://crt.sh/?caid=217343) which is cross-signed by SwissSign Gold CA-G2 (https://crt.sh/?caid=138)

20220425 08:00 - 09:00 CEST

  • Start internal audit
  • Gathering and analyzing data
  • Detection of mis-issuance because of missing end-user profile
  • Decision on best remediation approach: immediate re-publishing of new CPR S/MIME

20220425 08:30 CEST
Internal compliance incident is opened (includes the revocation of mis-issued certificates within 5 days 20220430 by 08:30 CEST

20220425 09:15 - 10:00 CEST

  • Add the missing profile to the CPR S/MIME v 3.0, chapter 3.3.1.2 --> internal review by second pair of eyes
  • Signing and publishing of CPR S/MIME on repository.swisssign.com

20220425 08:30 - 12:00 CEST

  • Gathering data on the affected customers
  • Inform our customers

20220425 14:00 - 15:30 CEST
Create and publish this Bugzilla report

20220425 15:30 - 16:00 CEST
Informing involved root stores and our auditors

3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.
Yes, by publishing the version 3 of the CPR S/MIME we corrected our error. The replacement certificates are now in line with the certificate profile in the CPR S/MIME

4. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.
In the period of 20211011 until 20220424 140'894 certificates are affected.

5. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.
We will update this report latest tomorrow with an attachment which includes the serial number and the SHA256 hash of all mis-issued certificates.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
From our initial investigation our current assumption is that during the writing process of the CPR SMIME v2 the second pair of eyes did decline the inclusion of the "LCP with Organization" profile by mistake (instead of accepting it) which resulted in an incomplete CPR for SMIME certificates.
As to why it has not been detected until now: As we use MS Word in change track mode to write our documents after the rejection of the above chapter there was no evidence visible in the word document.

7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
We have the following immediate steps listed:
1. Publish the version 3 of the CPR SMIME (done)
2. Revoke all mis-issued certificates latest until 20220430 by 08:30 CEST (ongoing)
3. Delivery of certificate-list according to 5. above (by 20220426)
4. Process improvement with a third pair of eyes for an overall recheck of new public documents (latest by 20220527)

Flags: needinfo?(bwilson)
Component: CA Certificate Root Program → CA Certificate Compliance
Assignee: bwilson → michael.guenther
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance]
Attached file CertificateList_part1
Attached file CertificateList_part2

This is first update

7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
We have the following immediate steps listed:
1. Publish the version 3 of the CPR SMIME (done)
2. Revoke all mis-issued certificates latest until 20220430 by 08:30 CEST (ongoing)
3. Delivery of certificate-list according to 5. above (done)
4. Process improvement with a third pair of eyes for an overall recheck of new public documents (latest by 20220527)

This is the second update: All certificates have been revoked last Friday, 20220429

7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
We have the following immediate steps listed:
1. Publish the version 3 of the CPR SMIME (done)
2. Revoke all mis-issued certificates latest until 20220430 by 08:30 CEST (Done)
3. Delivery of certificate-list according to 5. above (done)
4. Process improvement with a third pair of eyes for an overall recheck of new public documents (latest by 20220527)

This is the third update
7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
We have the following immediate steps listed:
1. Publish the version 3 of the CPR SMIME (done)
2. Revoke all mis-issued certificates latest until 20220430 by 08:30 CEST (Done)
3. Delivery of certificate-list according to 5. above (done)
4. Process improvement with a third pair of eyes for an overall recheck of new public documents (latest by 20220527)

As a last step we updated our review process. As an additional step a separate pair of eyes checks the pre-print version of the public document to be published and compares it with the currently published version and checks all document change tickets. This process update would have caught the mistake which triggered this Bugzilla.

Michael,
Have all of the underlying issues been remediated?
Thanks,
Ben

Flags: needinfo?(michael.guenther)

Ben,
yes with the last posting all steps 1-4 are now remediated. We believe that this solution fixes the reason that triggered this Bugzilla
Thanks Mike

  1. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
    We have the following immediate steps listed:
    1. Publish the version 3 of the CPR SMIME (done)
    2. Revoke all mis-issued certificates latest until 20220430 by 08:30 CEST (Done)
    3. Delivery of certificate-list according to 5. above (done)
    4. Process improvement with a third pair of eyes for an overall recheck of new public documents (latest by 20220527)
Flags: needinfo?(michael.guenther) → needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [uncategorized]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: