Sectigo: Incomplete Subscriber Agreement provisions
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: martijn.katerbarg, Assigned: martijn.katerbarg)
Details
(Whiteboard: [ca-compliance] [policy-failure])
1. How your CA first became aware of the problem
During our annual WebTrust Audit, our auditor noted that it was possible to order a certificate through at least one of our Retail storefronts without being presented with the Sectigo Certificate Subscriber Agreement.
2. Timeline
March 8, 2023 - 15:00 UTC
During a call with our auditor, we show a demo of the order and issuance process of an OV certificate.
March 9, 2023 – 15:33 UTC
We receive an email from our auditor inquiring when in the process of ordering an OV certificate, the Subscriber Agreement is agreed to.
March 9, 2023 – 16:44 UTC
We confirm and notify our auditor that a Subscriber Agreement was not presented during the order process through this specific channel, but that customers are required to agree to our Terms of Use.
March 9, 2023 – 20:51 UTC
Our auditor requests additional information on how, by agreeing to the Terms of Use, the provisions of sections 9.6.1 and 9.6.3 of the CPS are communicated.
March 14, 2023 – 15:00 UTC
During our twice-weekly WebPKI Incident Response (WIR) call the team is informed of the finding by our auditor. We start our investigation with multiple members of the WIR team, which continues over the next few days.
March 17, 2023 – 15:00 UTC
We reconvene with the WIR team and discuss our findings and confirm the issue. Sections 6 and 7 outline these findings.
March 17, 2023 – 16:02 UTC
We add a member of our legal team to our ongoing WIR call to confirm the proposed solution is satisfactory.
March 17, 2023 – 16:36 UTC
We deploy the appropriate changes to our website to resolve the issue.
3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.
This issue does not directly affect the issuance of certificates but rather the legal agreement in place between CA and Subscriber. The issue has been remediated.
4. Summary of the problematic certificates
N/A. This incident does not constitute a problem with any certificate, but rather with the business relationship between CA and Customer.
5. Affected certificates
N/A.
6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now
The retail storefront in question uses a third-party system called WHMCS as its e-commerce system. This system has no direct relation to our internal CA systems. From the viewpoint of our CA systems, WHMCS is very much like any reseller partner.
The WHMCS system does not perform any action such as validation or issuance. Once it has received an order, it will handle payment and send the actual certificate signing request and order using our public API to our CA systems. At this point, our usual systems handle actual validation, and the only thing WHMCS is capable of doing is pulling the certificate validation status and collecting the final, issued certificate.
Since WHMCS is not part of our internal CA systems, its dedicated team is separate and apart from the CA-side teams. This is where the mistake came in. While, as specified, the system does not perform any validation duties, it does collect actual customer data and is the point in the process where customers accept our Terms of Use and Certificate Subscriber Agreement. While our investigation is ongoing, at a presently undetermined time in the past a bug was introduced that failed to present our Certificate Subscriber Agreement in some purchase paths. As the obligations and warranties dictated by section 9.6.1 and 9.6.3 of the BRs were covered exclusively for us in our Certificate Subscriber Agreement, this means a set of DV and OV certificate purchasers did not assent to this agreement prior to placing orders.
During our investigation over the past week, we reviewed the requirements in place and determined that agreement to the Terms of Use is satisfactory so long as the Terms of Use reference our Subscriber Agreement and specify its acceptance as a requirement for certificate purchases.
7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future
We have remediated this problem in the immediate term by including acceptance of the Subscriber Agreement into the Terms of Use whenever a certificate is purchased.
Our Terms of Use specify that changes subsequent to acceptance are binding. We have updated our Terms of Use so that the required obligations and warranties now apply to all active certificate Subscribers.
We have started discussions with the team responsible for the WHMCS storefronts and other purchasing channels to complete a more comprehensive compliance review and assure all certificate purchasers are agreeing to necessary terms. As there is no evidence that any certificate purchase path has been missing our Terms of Use, we do not expect to find any additional examples of this problem. Should we discover such an occurrence, we will remediate it and report it here. We are adding explicit QA compliance testing for future releases of these systems.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 1•2 years ago
|
||
|
|
||
Comment 2•2 years ago
|
||
Unless there are additional comments or discussion needed, I'll close this on or about Wed. 5-Apr-2023.
|
|
Assignee | |
Comment 3•2 years ago
|
||
Thank you Ben, unless any other comments are placed, we will consider this incident resolved.
|
|
||
Updated•2 years ago
|
Description
•