1818073 - Sectigo: Late revocation for incomplete Subject organizationName

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Martijn Katerbarg]

1. How your CA first became aware of the problem

During our twice-weekly WebPKI Incident Response (WIR) team call, we decided to grant a delay in revocation for a total of 18 certificates that were due to be revoked on February 19, 2023.

Bug 1813989 describes the incident that necessitated the revocation of these certificates.

2. Timeline

February 14, 2023 - 18:08 UTC
We post bug 1813989 comment 2 announcing an upcoming revocation event.

February 17, 2023 – 08:16 UTC & 08:25 UTC
Three of our customers reach out to us because they did not receive our notifications about the upcoming revocation event in a timely manner. This impacted a total of 18 certificates.

February 17, 2023 – 15:00 UTC
During our WIR call, we discuss the request and make the decision to give an extension as we failed to send notifications to these customers in a timely matter. We re-schedule the revocation of these certificates for February 22 at 03:00 AM.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.

N/A

4. Summary of the problematic certificates

18 Certificates issued between February 25, 2022 and February 7, 2023.

5. Affected certificates

Serial Number	Certificate	Precertificate
05B995898666B4805C89C2944C02E6C4	Certificate	Precertificate
00C66C4B0E6163F52CAFEF66B0EB1C155B	Certificate	Precertificate
0089DBD5838F718928C9AABEC6FA73FDE9	Certificate	Precertificate
382000227E3498C64040F469E60175AD	Certificate	Precertificate
00E7B766736AB8526297523FF8D2EE781D	Certificate	Precertificate
00A01E05C382F27285300961927C46EF2F	Certificate	Precertificate
00A54C6847A345BB011EBD8410713760E2	Certificate	Precertificate
00B276A8FD5BDDEF602AE55FEAB043A163	Certificate	Precertificate
00C50A45094108B2DC9741A6EF6C38F4F8	Certificate	Precertificate
6227F006684681BAC8916F59B7DC20D5	Certificate	Precertificate
7CA5C69B8899F30AA402E06831E69DBC	Certificate	Precertificate
140F26BA67381597CC310B2965F32ACD	Certificate	Precertificate
2A89F3077D4F5714C3485A0A0BDBE5D3	Certificate	Precertificate
00DF11E820E0210F300519B2E96EC95501	Certificate	Precertificate
00F68F0D5EA71400D85BBE7A29E8B331BE	Certificate	Precertificate
00F11AD7CED0D0FA71942C101B6D3BFF12	Certificate	Precertificate
00B3B67B64EE88B76D11E72A02C73D59AF	Certificate	Precertificate
3DED4BAD9574297E5BD8824991CA84CC	Certificate	Precertificate

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now

Sending notifications of planned revocations is currently a manual process. The incident outlined in bug 1813989 has taken up a significant amount of time in review and processing by several members of our validation and compliance teams. Unfortunately, due simply to the size of the workload, this team was unable to send notifications to all affected customers in a timely fashion. By the time we realized this, adding more resources would not have altered the outcome.

Due to the late notice, these customers did not have enough time to get replacement certificates into their production environments. After internal discussion, we decided to delay the scheduled revocation event to February 22, 2023 at 03:00 UTC for these certificates only. Due to pre-system checks, the revocation timestamps may not be exactly 03:00 UTC but should be within 1 hour of this time.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future

We currently have automation in place to perform revocation of multiple certificates at a pre-set future time. We plan on expanding this system with the capability to automatically send notifications to customers, which should prevent this type of issue from happening in the future.

Comment 1

[Martijn Katerbarg]

The certificates mentioned in comment 0 were revoked on February 22nd, 03:21 UTC.

Ben, do you want to keep this bug open until our proposed remediation plan has been put into effect?
If so, we would like to request a next-update for 2023-03-31, at which time we hope to be able to provide a better timeline.

Comment 2

[Martijn Katerbarg]

We have scoped and drafted the required changes to our internal systems to be able to automate notifications.

Development and deployment of this are on the roadmap for Q2 of this year. As we get closer to completion, we will be able to set a more specific release date.

Ben, for now we’d like to request a next-update for 2023-05-31.

Comment 3

[Martijn Katerbarg]

Development of this feature has commenced and is on track for now. Currently we plan on releasing this feature by 2023-06-26.

Ben, we’d like to request a next-update for 2023-06-26.

Comment 4

[Martijn Katerbarg]

As of last weekend, automated notifications are available for future revocation events .

This concludes our remediation of this incident. Ben, as there have not been any questions or comments regarding the report and remediation, we’d like to request closing this bug.

Comment 5

[Ben Wilson]

I will close this on Wed. June 28, 2023, unless there are further issues to discuss.