Key: Incorrect business Category in EV certificate
(CA Program :: CA Certificate Compliance, task)
(Reporter: pfuentes, Assigned: pfuentes)
(Whiteboard: [ca-compliance] [ev-misissuance])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Safari/605.1.15
Steps to reproduce:
During an internal audit WISeKey detected several EV certificates issued to an organization registered in its country as non-commercial entity, but that should have categorised as "Private Entity" according to the EV guidelines.
The certificates were revoked and replaced and we will publish a full report in the next days.
3 months ago
Sorry, I meant "Private Organization" as the correct type
3 months ago
3 months ago
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
The miss-issuance was identified during an internal weekly review.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
2023-01-02 15:00 UTC: 7 EV Certificate orders for the same subscriber are processed by the validation team. Both involved validation agents agreed on the categorisation of a subscriber as "non-comercial organization"
2023-01-04 06:00 UTC: During an internal review, a third validator raises a concern about these certificates. An internal discussion is started.
2023-01-04 08:00 UTC: After confirming that the subcriber doesn't qualify as "non-comercial organization", the certificates are revoked and a new validation process is performed, resulting in new certificates including the right information
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
WISeKey stopped the issuance of similar certificates for non-comercial entities until a new validation step has been added to control these cases. The new process is already in place and new orders can be accepted.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
See 5. All affected certificates are issued for a single subscriber.
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
During the vetting process of a new subscriber, the two validation agent verified at one of the approved validation sources for Korea that the subscriber "Hong Seong Medical Center" was registered in the country with business type "Human Health and social work actitivities" (as explicitily writen in the official "National Tax Service" certificate). This was assumed to be enough to qualify the subscriber as "non-commercial entity". During an internal review performed after the issuance it was noted that this subscriber didn't qualify as as a Non-Commercial Entity according to the EV guidelines, which state only these possibilities:
An Applicant qualifies as a Non‐Commercial Entity if:
- The Applicant is an International Organization Entity, created under a charter, treaty, convention or equivalent instrument that was signed by, or on behalf of, more than one country’s government. The CA/Browser Forum may publish a listing of Applicants who qualify as an International Organization for EV eligibility; and
- The Applicant is not headquartered in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction; and
- The Applicant is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.
Subsidiary organizations or agencies of an entity that qualifies as a Non‐Commercial Entity also qualifies for EV Certificates as a Non‐Commercial Entity.
Once this was clarified, the vetting was repeated, re-classifying the subscriber as "private organization" and revoking the previous certificates.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Giving the complexity inherent to categorise certain types of subscribers, to prevent this from happening in the future, we've updated our validation procedure to put on hold the issuance of EV certificates for each new subscriber that can't categorised evidently by the two involved validators as private or government entities, so any other new subscriber potentially belonging to other categories requires an internal discussion and confirmation before completing the vetting process.
The validation team has been updated about the new process and it's been documented to be added in future training and re-training sessions.
2 months ago
Are there any additional questions or issues to discuss? If not, I will close this on or about Friday, 3-Feb-2023.
2 months ago