1802916 - Entrust: EV TLS Certificate incorrect jurisdiction

Assignee

Description

•

2 years ago

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

Steps to reproduce:

How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

Entrust became aware of the problem with VMC certificates on 10 November 2022. It was assumed the problem was isolated to VMC, but more investigation found the problem was related to certificates which include ST jurisdiction information found through EV verification.

A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2022-11-10 14:08 UTC - VMC issued discovered
2022-11-14 9:05 UTC - Discovered the issue impacts certificates issued with EV verification; investigation started to determine which accounts were impacted by the errors
2022-11-17 12:30 UTC - Compliance meeting to review investigation
2022-11-18 15:30 UTC - Update search criteria with PM/Development and discuss problem resolution
2022-11-23 12:30 UTC - Compliance meeting to discuss state/province issues in some countries
2022-11-23 14:30 UTC - Compliance meeting to review incident investigation status
2022-11-28 13:05 UTC - 322 EV certificate were found which were miss-issued with the incorrect jurisdiction

Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

Entrust did not stopped issuance; however, all issues discovered through investigation have been corrected.

A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

The impacted certificates is listed in item 5.

The complete certificate data for the problematic certificates.

Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The problem was detected during revalidation of a VMC certificate.

The errors occur when the data is input by the Verification Specialist. The errors were:

place of business ST field was incorrectly used in the ST jurisdiction field
place of business ST field was incorrectly used in the L jurisdiction
ST jurisdiction was used, when the registry was from the country level

The errors avoided detection as the pre-issuance and post-issuance linting software does not address the contents of the jurisdiction data.

List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

The new design will be to align the approved incorporating agencies database with the jurisdiction data fields. The system will be updated to ensure that the approved incorporating agencies provide the corresponding jurisdiction data. The design update will help to remove human error.

Matthias

Comment 1

•

2 years ago

A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2022-11-10 14:08 UTC - VMC issued discovered

Could you explain what a VMC is, or link to a definition?

2022-11-14 9:05 UTC - Discovered the issue impacts certificates issued with EV verification; investigation started to determine which accounts were impacted by the errors
2022-11-17 12:30 UTC - Compliance meeting to review investigation
2022-11-18 15:30 UTC - Update search criteria with PM/Development and discuss problem resolution
2022-11-23 12:30 UTC - Compliance meeting to discuss state/province issues in some countries
2022-11-23 14:30 UTC - Compliance meeting to review incident investigation status
2022-11-28 13:05 UTC - 322 EV certificate were found which were miss-issued with the incorrect jurisdiction

Why did it take so long to discover the problematic EV certificates?

Did you start searching for EV certificates with this issue before 2022-11-28? If not, why? If yes, why did take until 2022-11-28 before you got results?

List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

The new design will be to align the approved incorporating agencies database with the jurisdiction data fields. The system will be updated to ensure that the approved incorporating agencies provide the corresponding jurisdiction data. The design update will help to remove human error.

Could you expand on this 'new design', and what is being newly designed?

Are you planning to revoke these problematic certificates, and if so, when will they be revoked?

Chris Clements

Updated

•

2 years ago

Assignee: nobody → bruce.morton

Status: UNCONFIRMED → ASSIGNED

Type: defect → task

Ever confirmed: true

Bruce Morton

Assignee

Comment 2

•

2 years ago

(In reply to Matthias from comment #1)

Could you explain what a VMC is, or link to a definition?
VMC is the Verified Mark Certificate. This certificate has EV verification and also includes a logo. You can find the VMC Guidelines and more information here, https://bimigroup.org/supporting-documents/.

Why did it take so long to discover the problematic EV certificates?
Did you start searching for EV certificates with this issue before 2022-11-28? If not, why? If yes, why did take until 2022-11-28 before you got results?
The jurisdiction information is very complicated. Some of the reasons is a single registry could be accessed by multiple sites. The multiple sites may be interpreted that the site is for a different jurisdiction. There are also issues where the state for place of business and the jurisdiction state might be different. So there was no easy search methodology to find miss-issued certificates. There was a lot of investigation to confirm if a certificate was miss-issued.

Could you expand on this 'new design', and what is being newly designed?
I will follow up with more design information on a future post.

Are you planning to revoke these problematic certificates, and if so, when will they be revoked?
Our plan is to revoke within the 5-day requirement; however, we are getting both disputes on the wrong jurisdiction and the timing due to the current end of year black-out period. If we have late revocations, we will open a late revocation incident report.

Bruce Morton

Assignee

Comment 3

•

2 years ago

The following 14 certificates were incorrectly indicated as miss-issued, so will not be revoked.

https://crt.sh/?q=59EAE3BBB3BB1E9A645048CA28C35F2ECBDC2FE1
https://crt.sh/?q=161D990C16F6EDB8453439D46FA65BBBCB855D6B
https://crt.sh/?q=73980E904BC812E5E89C878F41FF5BB9C4A2726F
https://crt.sh/?q=3CD1653B21C1B40C752417803BBCB81ECFE24C67
https://crt.sh/?q=E7E094DD9E96CFADD874FF09A0F622A291615BE2
https://crt.sh/?q=2E8A6B3E6DCC38446A0CAA0E6247C1D1EB1B8400
https://crt.sh/?q=9E3D3EA2006446AB2011FEBB5CEE3578A7DC9667
https://crt.sh/?q=EA344AEDFB303B75BD9C2C6E44221556E8CADF62
https://crt.sh/?q=CDA21ED59A1D2F349DEC860D15E18C61C31F788A
https://crt.sh/?q=585489B1A4F3214EBD9D12E617CF776898E5B090
https://crt.sh/?q=51B8D4CDAAED31495611AC44C48AB979538E5426
https://crt.sh/?q=07F0D5AB50D65ADC94E9918A202A18A7141D9080
https://crt.sh/?q=7ECCAE9FE3B654D864069345C4726BA43434D665
https://crt.sh/?q=DF485FF55F545D0A07A9B5831F7B2B819896A996

Bruce Morton

Assignee

Comment 4

•

2 years ago

Through the planned 5-day revocation period 62 certificates were revoked.

There has been pushback from the Subscribers due to the critical use of EV TLS certificates, coordination with the technical teams and the current annual black-out period to reissue certificates.

We will open a delayed revocation incident report to address the delays and track revocations completion.

Bruce Morton

Assignee

Comment 5

•

2 years ago

Incident was posted for late revocation, https://bugzilla.mozilla.org/show_bug.cgi?id=1804753

Bruce Morton

Assignee

Comment 6

•

2 years ago

Regarding the new design. We will review our EV approved incorporating agencies matrix, https://www.entrust.com/legal-compliance/approved-incorporating-agencies, to ensure the correct jurisdiction is established.

To ensure the correct jurisdiction data is in the EV certificate, when a Verification Specialist verifies or re-verifies an Organization, they will follow this process: 1) Select businessCategory = Private Organization, 2) Choose the country, 3) Choose a registry from the dropdown for the country, 4) Verify the organization is in the registry and record data including the registration number. Note by selecting the registry, the jurisdiction location information is selected in an automated fashion, which mitigates human error in selecting this data.

The plan is to update this functionality by 31 March 2023.

As a follow up after the new jurisdiction functionality is in place, we will plan to use the registry matrix for post-issuance certificate linting. This will ensure the EV certificate jurisdiction data is in sync with our trusted source.

Ben Wilson

Updated

•

2 years ago

Whiteboard: [ca-compliance] [ev-misissuance]

Ben Wilson

Updated

•

1 year ago

Whiteboard: [ca-compliance] [ev-misissuance] → [ca-compliance] [ev-misissuance] Next update 3-Apr-2023

Bruce Morton

Assignee

Comment 7

•

1 year ago

(In reply to Bruce Morton from comment #6)

To ensure the correct jurisdiction data is in the EV certificate, when a Verification Specialist verifies or re-verifies an Organization, they will follow this process: 1) Select businessCategory = Private Organization, 2) Choose the country, 3) Choose a registry from the dropdown for the country, 4) Verify the organization is in the registry and record data including the registration number. Note by selecting the registry, the jurisdiction location information is selected in an automated fashion, which mitigates human error in selecting this data.

The functionality was deployed on 14 March 2023.

Ben Wilson

Comment 8

•

1 year ago

Thanks. Unless there are other comments or concerns to be expressed, I will close this bug on next Wed. 19-Apr-2023.

Flags: needinfo?(bwilson)

Ben Wilson

Updated

•

1 year ago

Flags: needinfo?(bwilson)

Whiteboard: [ca-compliance] [ev-misissuance] Next update 3-Apr-2023 → [ca-compliance] [ev-misissuance]

Ben Wilson

Updated

•

1 year ago

Status: ASSIGNED → RESOLVED

Closed: 1 year ago

Resolution: --- → FIXED

Bugzilla

Quick Search

Entrust: EV TLS Certificate incorrect jurisdiction

Categories

(CA Program :: CA Certificate Compliance, task)

Tracking

(Not tracked)

People

(Reporter: bruce.morton, Assigned: bruce.morton)

References

Details

(Whiteboard: [ca-compliance] [ev-misissuance])

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Updated

Updated

Comment 7

Comment 8

Updated

Updated