Closed Bug 1827772 Opened 2 years ago Closed 1 years ago

DigiCert: Org-JOI type mismatch

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jeremy.rowley, Assigned: jeremy.rowley)

Details

(Whiteboard: [ca-compliance] [ev-misissuance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36

Steps to reproduce:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

Pedro Fuentes from Wisekey contacted DigiCert's Revocation Report alias about a certificate issued with improper JOI information. After conducting an extensive investigation on our certificates, we identified two instances of mis-issuance where the organizational type did not match the registration number convention.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

All times are MST
25/March/2023 10:17 - A representative from Wisekey contacted DigiCert's revoke alias and identified a potential issue with a certificate.
26/March/2023 15:52 - Digicert acknowledges the problem report and begins investigating any potential issues. This includes a comprehensive review of EV certificates.
4/April/2023 9:23 – An issue was identified where there could be mixed JOI registration types and serial numbers. DigiCert searched for this pattern.
4/April/2023 10:25 - Engineering confirms that the new gen validation system did not implement the same guardrails on JOI as the legacy validation system.
5/April/2023 10:04 - The engineering team deployed a fix to resolve the issue.
6/April/2023 9:30 - The analytics team completes its review of all certificates possibly matching the identified issue. Two certificates were issued with the mixed type.
6/April/2023 9:43 - Digicert begins the revocation process.
11/April/2023 7:51 - Digicert revokes the two identified certificates. Please see section 5 for the list.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We updated our systems to prevent additional issuance of certificates with incorrect information. The check restricts validation agents from entering "Government Entity" as the registration number field if the selected organization type is not "Government Entity". This modification ensures consistency in the organization type and registration number, and its implementation effectively enforces the condition.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Two certificates were impacted. Both certificates were issued on March 22, 2023.

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?sha256=ECCBD77D2889ED79F554AC75FE5BCA0BDCAAFA56982FC3655C42C48621467449
https://crt.sh/?sha256=EB60797AF7CEDB65519E54D4E0E87D3FA57FA67E1A0E32AA3DBFB53D48D50AAD

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

A validation agent incorrectly selected the organization type and entered "Government Entity", overriding the private org selection. The two fields, organization type and registration number, were not being consistently cross-checked for accuracy. A system update was implemented to ensure that the organization type and registration number are now tied together, promoting consistency and accuracy in the future.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

We implemented a fix that prevents a validation agent from changing a private organization to a government entity and mixing the two types. The two corresponding fields are now tied together so validation agents cannot manually override the selection. This fix was deployed on April 5th.

Assignee: nobody → jeremy.rowley
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [ev-misissuance]
Type: defect → task

Which certificate was reported on March 25? Should that certificate have been revoked by March 30?

Neither cert was reported on March 25th. Both of these were found by internal investigation that we launched after receiving a false positive certificate problem report.

Any additional questions? If not, can we close this bug?

Flags: needinfo?(bwilson)

I will close this on or about Wed. 3-May-2023, unless there are other issues to discuss.

Status: ASSIGNED → RESOLVED
Closed: 1 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.