Closed Bug 1792231 Opened 2 years ago Closed 2 years ago

Entrust: TLS Certificate issued with an incorrect state or province

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bruce.morton, Assigned: bruce.morton)

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36

Steps to reproduce:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

Entrust became aware of the problem on 15 September 2022 at 12:01 UTC, when the post linting check indicated that there was a TLS certificate issued of which the state or province value was not included on a pre-approved list.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
  • 2022-09-15 11:31 UTC - Certificate issued
  • 2022-09-15 12:01 UTC - Detection by post issuance linter
  • 2022-09-15 14:17 UTC - Issue confirmed by validation specialist
  • 2022-09-15 15:33 UTC - Certificate reissued
  • **2022-09-20 14:03 UTC ** - Certificate revoked
  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

Entrust has not stopped issuance. Similar issues will be detected post issuance and revoked within 24 hours until the development work to only accept pre-approved state or province values has been completed and deployed to production.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

The impacted certificate is listed in item 5.

  1. The complete certificate data for the problematic certificates.

https://crt.sh/?id=7546397880 – revoked at 2022-09-20 14:03 UTC

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The problem was detected directly after issuance by our post-issuance linting.

Issuance was not prevented because:

  • The verification team approved the subject DN without resolving the error as indicated by the administration system. The administration system compares the ST field to the country subdivisions in a pre-approved list based on ISO 3166. The override is available in the event there is a difference of the verified ST field and the pre-approved list.
  • No check was implemented in pre-issuance linting which is based on zlint.
  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

The certificate request system is being migrated to complete the ST field based on a drop down populated by the pre-approved list. The system which had the issue has not yet been migrated. The migration will be complete by 15 December 2022.

Entrust has escalated guidance with our verification team on reviewing this field and correcting this field , if required. Entrust continue to perform post-issuance linting to check for any errors.

Assignee: bwilson → bruce.morton
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance]

The system was migrated on 4 November 2022.

There is still one last avenue to be migrated which will not be until later in 2023. Entrust feels the possibility of error is quite low. We will continue to perform post-issuance linting implemented to detect any errors. All miss-issued certificates will be revoked and the certificate will be added to this incident report.

Whiteboard: [ca-compliance] → [ca-compliance] 2023-03-31
Product: NSS → CA Program
Whiteboard: [ca-compliance] 2023-03-31 → [ca-compliance] [ov-misissuance] Next update 2023-03-31

(In reply to Bruce Morton from comment #1)

There is still one last avenue to be migrated which will not be until later in 2023.

The functionality was deployed on 14 March 2023.

I will close this on or about 19-Apr-2023, unless there are other items to discuss.

Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] [ov-misissuance] Next update 2023-03-31 → [ca-compliance] [ov-misissuance]
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.