1771715 - Firmaprofesional: 2022 - StateorProvince field

Assignee

Description

•

2 years ago

Steps to reproduce:

1.3.6.1.4.1.13177.10.1.1.1 (QCP-n-qscd), 1.3.6.1.4.1.13177.10.1.1.2 (QCP-n), 1.3.6.1.4.1.13177.10.1.10.2 (QCP-l), 1.3.6.1.4.1.13177.10.1.2.1 (QCP-n-qscd), 1.3.6.1.4.1.13177.10.1.2.2 (QCP-n): Some certificates of the sample have been detected whose subject:stateorProvince field contains values that do not exactly correspond to the name of the provinces.
1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
30/05/2022 When Firmaprofesional received the eIDAS report from the auditors.

Actual results:

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
30/05/2022 Firmaprofesional will analyze whether this finding also affects TLS certificates.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
It is not a generalized error but specific human errors, so the issuance of certificates has not been stopped. As stated in point 7, Firmaprofesional will implement technical controls to minimize human errors.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
30/05/2022 Firmaprofesional analyzes whether this finding also affects TLS certificates.
31/05/2022 Firmaprofesional will update this ticket with the results of the previous analysis.
5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
We are analyzing now.

Expected results:

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
There is no technical control that prevents entering other geographical subdivisions.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Firmaprofesional will implement a technical control for the StateorProvince field of all its types of certificates within a period of 2 months.
Firmaprofesional will analyze if there is currently any business requirement to maintain the StateorProvince fields. If this is not the case, Firmaprofesional will study its deletion.

Maria Jose Prieto

Assignee

Comment 1

•

2 years ago

After performing a thorough analysis of TLS Certificates, The following certificates have been found to have a geographic location in the stateOrProvince field that does not exactly correspond to a State or Province:

The steps to take are:

31/05/2022, 9:00 First, notify customers.
31/05/2022, 9:00 Second, Firmaprofesional has analyzed that the StateorProvince is not necessary in TLS Certificates for commercial reasons, and it is not necessary for technical reasons (Baseline requirements) because they already have the Locality field. Therefore it is decided to suppress it in future TLS certificate issues.
Third, revoke all certificates within 5 days.
Fourth, for information purposes, for the rest of the non-TLS certificates (qcp-n and qcp-l certificates) a technical control will be created for the StateorProvince field

Ben Wilson

Updated

•

2 years ago

Assignee: bwilson → mprieto

Status: UNCONFIRMED → ASSIGNED

Type: defect → task

Ever confirmed: true

Whiteboard: [ca-compliance]

Maria Jose Prieto

Assignee

Comment 2

•

2 years ago

All affected TLS certificates have been revoked.

Maria Jose Prieto

Assignee

Comment 3

•

2 years ago

The first 3 steps to solve this bug have been done. The fourth step, since it does not affect TLS certificates, we consider that it is not an obstacle to close this bug. Please, Could this bug be closed?

Flags: needinfo?(bwilson)

Julien Cristau [:jcristau] (back April 22)

Comment 4

•

2 years ago

(In reply to Maria Jose Prieto from comment #0)

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
30/05/2022 Firmaprofesional will analyze whether this finding also affects TLS certificates.

I find this timeline rather underwhelming...

Ben Wilson

Comment 5

•

2 years ago

Firmaprofesional appears to be abandoning its intent to implement technical controls on the stateorProvince field. Is this a lost opportunity for Firmaprofesional to explore how human errors occur in certificate contents? It might help reduce mistakes in other certificate fields. Has this been considered?

Maria Jose Prieto

Assignee

Comment 6

•

2 years ago

I find this timeline rather underwhelming...

Julien, We would appreciate constructive comments.
If you only look at the initial report, I agree with you, but if you look deeply at the entire ticket you will see that the initial information has been supplemented and includes the decisions and tasks carried out and to be carried out.
This information was complemented by that provided later in less than 24 hours:
The steps to take are:

05/31/2022, 9:00 First, notify customers.
05/31/2022, 9:00 Second, Firmaprofesional has analyzed that the StateorProvince is not necessary in TLS Certificates for commercial reasons, and it is not necessary for technical reasons (Baseline requirements) because they already have the Locality field. Therefore it is decided to suppress it in future TLS certificate issues.
Third, revoke all certificates within 5 days.
Fourth, for information purposes, for the rest of the non-TLS certificates (qcp-n and qcp-l certificates) a technical control will be created for the StateorProvince field.

In any case, if after this clarification you still miss something, please, do not hesitate to comment.
Thank you!

Flags: needinfo?(jcristau)

Maria Jose Prieto

Assignee

Comment 7

•

2 years ago

Firmaprofesional appears to be abandoning its intent to implement technical controls on the stateorProvince field. Is this a lost opportunity for Firmaprofesional to explore how human errors occur in certificate contents? It might help reduce mistakes in other certificate fields. Has this been considered?

Ben, thanks for your constructive comment.

The reality is that we try to optimize the content of the certificates to the essential minimum for two reasons:

We understand the concern of browsers to make certificates as small as possible and remove unnecessary or hard-to-verify fields, such as the recent removal of the OU field.
On the other hand, by eliminating unnecessary or redundant fields, the necessary validation tasks and possible errors or non-compliances are reduced to a minimum.

Having said that, Firmaprofesional is going in that direction of implementing more and more technical controls on certificates in different fields.
We have recently implemented technical control to the organization identification number field. We have also implemented other controls in other fields, as is the case of the personal identification number and regarding the matter at hand, as we have detailed previously, a technical control (creation of a closed dropdown) is going to be implemented in the StateorProvince field that stays on non-TLS certificates.

Flags: needinfo?(bwilson)

Ben Wilson

Comment 8

•

2 years ago

I intend to close this on next Wed. 22-June-2022.

Flags: needinfo?(jcristau) → needinfo?(bwilson)

Dimitris Zacharopoulos

Comment 9

•

2 years ago

I would like to ask if Firma has examined all previously submitted (and currently "closed") incidents related to stateOrProvinceName and localityName in Bugzilla.

Secondl
y I would like to ask if all CA Compliance bugs from other CAs are being actively monitored and taken into consideration proactively (i.e. without necessarily being affected by the corresponding incidents but making sure controls are implemented to prevent such class of incidents).

Maria Jose Prieto

Assignee

Comment 10

•

2 years ago

I would like to ask if Firma has examined all previously submitted (and currently "closed") incidents related to stateOrProvinceName and localityName in Bugzilla.
Thank you Dimitris for your comment, because really we think we should learn from the experience and difficulties of other CAs.

Indeed, we have reviewed other similar tickets, such as Bug 1720723 or Bug 1667842 , and after analyzing them, we continue to believe that the strategy of minimizing the number of fields in certificates is good for browsers and for CAs, as well as adding as much automation as possible.

Using a dropdown for the StateOrProvince and Locality fields we think is a good idea because this:
avoids typos and other types of human error.
allows to identify the limitations of the dropdown but without incurring an error of issuing certificates with incorrect data
avoid the free text field issue identified on Bug 1720723 .

We are aware of the limitations of this type of dropdown, because it is difficult to guarantee that this type of information is absolutely correct worldwide. However, we have also analyzed the countries that concentrate most of our certificates and we have ensured that for those countries the stateOrProvince data is correct.

We may find ourselves in exceptional cases where, at the time of issuing a certificate, the stateOrProvince claimed by the subject does not appear in our dropdown. In this case, the issuance will not be possible at that time (perhaps we will lose a client) and we will analyze the case to identify if it is necessary to apply any update in the dropdown.

Secondly I would like to ask if all CA Compliance bugs from other CAs are being actively monitored and taken into consideration proactively (i.e. without necessarily being affected by the corresponding incidents but making sure controls are implemented to prevent such class of incidents).

Regarding your second comment, in fact, several people at Firmaprofesional are subscribed to new bugs creations and updates (See Mails_bugs.png) and we learn from them and implement improvements to the best of our ability. We recommend this practice to all CAs since it has been very useful for us.

Flags: needinfo?(jimmy)

Maria Jose Prieto

Assignee

Comment 11

•

2 years ago

Attached image Mails_bugs.png — Details

Flags: needinfo?(jimmy)

Ben Wilson

Updated

•

2 years ago

Status: ASSIGNED → RESOLVED

Closed: 2 years ago

Flags: needinfo?(bwilson)

Resolution: --- → FIXED

Nobody; OK to take it and work on it

Updated

•

1 year ago

Product: NSS → CA Program

David Lawrence [:dkl]

Updated

•

1 year ago

Whiteboard: [ca-compliance] → [ca-compliance] [ev-misissuance] [ov-misissuance]

Bugzilla

Quick Search

Firmaprofesional: 2022 - StateorProvince field

Categories

(CA Program :: CA Certificate Compliance, task)

Tracking

(Not tracked)

People

(Reporter: mprieto, Assigned: mprieto)

References

Details

(Whiteboard: [ca-compliance] [ev-misissuance] [ov-misissuance])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Comment 7

Comment 8

Comment 9

Comment 10

Comment 11

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type