Closed Bug 1861783 Opened 2 years ago Closed 2 years ago

IdenTrust: S/MIME Certificates issued without CAB Forum OID

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: roots, Assigned: roots)

Details

(Whiteboard: [ca compliance] [smime-misissuance])

Attachments

(1 file)

Missing SMIME OID.xlsx
41.33 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
Attached file Missing SMIME OID.xlsx

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

Steps to reproduce:

SUMMARY
On 2023-10-23, while inspecting Enterprise certificates, we discovered that customers having S/MIME certificates were lacking the anticipated CA/B Forum OID expected after 2023-08-31.

IMPACT
Some of our Enterprise customers were impacted by this issue, where certificate profiles were intentionally not updated to S/MIME BR, as part of their migration to a different certificate program

TIMELINE -
2023-10-23 19:00 - Internal review found a total of 1135 certificates issued to 4 Enterprise customers missing the S/MIME CA/B Forum OID.
2023-10-23 21:00 – Discovered that four Enterprise customers were supposed to have been moved to a different certificate program and were not expected to use the publicly trusted ICA. However, the API access to the publicly trusted ICA had not been disabled.
2023-10-23 21:30 – Disabled the API for those 4 Enterprise customers.
2023-10-24 15:00 – Notified customers of revocation requirement no later than 2023-10-27
2023-10-27 23:30 – Confirmed all affected certificates have been revoked

ROOT CAUSE ANALYSIS
Not turning off an API that was no longer meant to be in use.

LESSONS LEARNED
WHAT WENT WELL

  • The APIs for affected customers were promptly deactivated.
  • All affected certificates were revoked within a span of 5 days.

WHAT DIDN'T GO WELL

  • The timeline for revocation didn't sit well with some of the impacted customers.

WHERE WE GOT LUCKY

ACTION ITEMS
No further action items are necessary to resolve this issue.

APPENDIX
DETAILS OF AFFECTED CERTIFICATES
Enclosed is a list of 1135 certificates that have been impacted, and all of them have been revoked.

Assignee: nobody → roots
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca compliance] [smime-misissuance]
Type: defect → task

We have no further pending actions for this issue

Can you please close this ticket?

Flags: needinfo?(bwilson)

Unless there are any objections, I will close this ticket on Wed. 3-Jan-2024.

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: