Closed Bug 1853783 Opened 1 year ago Closed 10 months ago

IdenTrust: S/MIME certificates issued in violation of New S/MIME Baseline Requirements v1.0

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: roots, Assigned: roots)

Details

(Whiteboard: [ca-compliance] [smime-misissuance])

Attachments

(1 file)

IdenTrust SMIME misissued list.csv
3.58 KB, text/csv
Details

Actual results:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in the MDSP mailing list, a Bugzilla bug, or internal self-audit), and the time and date.

In the course of normal activities, on 06 September 2023 IdenTrust discovered that 114 S/MIME certificates had been issued after 01 September 2023 in violation of certificate details contained in the CA/B Forum S/MIME Baseline Requirements version 1.0 that went into effect on that day.
Specifically, the new certs were issued in violation of these requirements:
• Section 3.2.2.2 – 112-bit entropy requirements: 68 certificates.
• Section 7.1.4.2.5 – Subject DN attributes for sponsor‑validated profile: 27
certificates.
• Section 7.1.4.2.6 – Subject DN attributes for individual‐validated profile: 19
certificates.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

    • 2023-09-01 1:20 AM MDT – Improper issuance began.
    • 2023-09-06 4:00 PM MDT - IdenTrust discovered that 114 S/MIME certificates
    had been issued using the old processes and profiles.
    • 2023-09-06 5:17 PM MDT – Issuance was stopped.
    • 2023-09-07 4:30 PM MDT – IdenTrust completed sending revocation notices to
    affected certificate holders.
    • 2023-09-11 2:29 PM MDT – Hotfix deployed to fix entropy size issue. Certificate
    profiles were also updated to include the subject givenName and surname
    attributes.
    • 2023-09-11 2:30 PM MDT – All affected certificates were revoked.
    • 2023-09-11 3:00 PM MDT – IdenTrust enabled the new issuance process for
    mailbox-validated S/MIME certificates.

  2. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation

    • Issuance was stopped 2023-09-06 5:17 PM MDT

  3. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

    • First Issuance with the problem – 09/01/2023 1:20 AM MDT.
    • Last Issuance with the problem – 09/13/2023 16:24 PM MDT
    • Validation review of email address and change in Identity document
    requirement.
    • 106 certificates were affected. A list is attached. Of this number:
    o 68 were issued in violation of the entropy requirements.
    o 27 sponsor-validated certificates were issued without a given name in the
    given Name field.
    o 11 individual-validated certificates were issued without a surname in the
    surname field.

  4. In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. It is also recommended that you use this form in your list "https://crt.sh/?sha256=[sha256-hash]", unless circumstances dictate otherwise. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

    • N/A. These were S/MIME certificates.

  5. Explanation about how and why the mistakes were made or bugs introduced,
    and how they avoided detection until now.

    • Misinterpreted CA/B Forum S/MIME Baseline Requirements version 1.0 for the
    givenName attribute.
    • Missed the new entropy requirements of the CA/B Forum Baseline
    requirements version 1.0.

  6. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

    • All affected certificates were revoked.
    • We updated the problematic fields and have commenced a new issuing
    process.
    • We increased multi-team reviews of changes in S/MIME baseline requirements.
    • We are planning to implement an updated S/MIME linting tool no later than
    January 2024.
    • Monthly updates will be provided until an updated linting tool is implemented.
    Next update is scheduled for 2023-10-18

Summary: S/MIME certificates issued in violation of New S/MIME Baseline Requirements v1.0 → Identrust: S/MIME certificates issued in violation of New S/MIME Baseline Requirements v1.0
Summary: Identrust: S/MIME certificates issued in violation of New S/MIME Baseline Requirements v1.0 → IdenTrust: S/MIME certificates issued in violation of New S/MIME Baseline Requirements v1.0
Assignee: nobody → roots
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [smime-misissuance]
Whiteboard: [ca-compliance] [smime-misissuance] → [ca-compliance] [smime-misissuance] Next update 18-Oct-2023

This is to confirm that we are on track to implement an updated S/MIME linting tool no later than January 2024.
Our next update willbe provided by November 30, 2023.

Whiteboard: [ca-compliance] [smime-misissuance] Next update 18-Oct-2023 → [ca-compliance] [smime-misissuance] Next update 30-Nov-2023

We are on track to implement the updated S/MIME linting tool as promised no later than January 31, 2024.
We will post a status update by December 29, 2023.

We are on track to implement the updated S/MIME linting tool as promised no later than January 31, 2024.
We will post the next status update by January 31, 2024.

Whiteboard: [ca-compliance] [smime-misissuance] Next update 30-Nov-2023 → [ca-compliance] [smime-misissuance] Next update 31-Jan-2024

Over the weekend (1/20/2024), we successfully implemented the promised linting tool for S/MIME certificates. Throughout the week, we have confirmed its proper functionality. With no outstanding tasks remaining, we consider this issue resolved.

Flags: needinfo?(bwilson)

I will close this on Friday, 26-Jan-2024.

Whiteboard: [ca-compliance] [smime-misissuance] Next update 31-Jan-2024 → [ca-compliance] [smime-misissuance]
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: