Closed Bug 1866806 Opened 11 months ago Closed 9 months ago

GlobalSign: S/MIME Sponsor validated certificates with CommonName value equal to OrganizationName

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: christophe.bonjean, Assigned: christophe.bonjean)

Details

(Whiteboard: [ca-compliance] [smime-misissuance])

Steps to reproduce:

On 2023-11-27, while inspecting issued certificates during quarterly internal audit, we discovered 3 S/MIME sponsor validated certificates with a Subject:CommonName value equal to the Subject:OrganizationName. We are investigating for further cases and will update with full incident report by 2023-12-01.

Assignee: nobody → christophe.bonjean
Type: defect → task
Whiteboard: [ca-compliance] [smime-misissuance]
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Incident Report

Summary

During quarterly internal audit on 2023-11-27, the compliance team identified three S/MIME legacy-profile sponsor-validated certificates with a Subject:commonName equal to the Subject:organizationName field.

According to the definition of a sponsor-validated certificate, the certificate type must "combine Individual attributes in conjunction with a Subject:organizationName as associated Legal Entity" and section 7.1.4.2.2 of the S/MIME BRs defines the following permitted values for Subject:commonName: Personal Name, Pseudonym, or Mailbox Address.

The Subject:commonName of the affected Certificates therefore did not meet the requirement of section 7.1.4.2.2, as it included (and only included) the value of the Subject:organizationName.

Upon investigation, we determined that the Certificates were issued by Enterprise RA accounts, for which the authentication of the identity of the Individual is delegated to the Enterprise RA.

Impact

11 S/MIME legacy-profile sponsor-validated Certificates were mis-issued, due to the Subject:commonName being equal to the Subject:organizationName field.

Timeline

All times are UTC.

YYYY-MM-DD Description
2023-08-07 Communication initiated towards customers regarding updated Enterprise RA requirements for S/MIME BRs and revisions of agreements.
2023-09-01 S/MIME BRs come into effect and Enterprise RAs must comply with the requirements for sponsor-validated certificates.
2023-09-06 Initial ad-hoc review of S/MIME certificates to confirm compliance with new requirements. No issues identified.
2023-11-27 - 08:32 Quarterly internal audit identifies three S/MIME sponsor-validated certificates with Subject:commonName equal to the Subject:Organization.
2023-11-27 - 08:40 Revocation and replacement process initiated, including clarification towards Enterprise RAs about the issue and appropriate Subject information. Vetting notified of issue, however, no action required on their part, as the scope of the incident is Enterprise RA. Due to nature of incident, no outstanding requests found.
2023-11-27 - 13:16 Started review of historically issued certificates. Monitoring set-up.
2023-11-27 - 13:36 Completed review of historically issued valid certificates. Eight additional certificates found.
2023-12-01 - 11:51 Deployment of post-lint completed as part of alerting.
2023-02-12 - 07:30 Scheduled revocation of all affected certificates.

Root Cause Analysis

The affected certificates are S/MIME legacy-profile sponsor-validated certificates which according to the definition "Combine Individual (Natural Person) attributes in conjunction with an subject:organizationName (an associated Legal Entity) attribute".

These certificates were issued by Enterprise RAs, who verify Certificate Requests for Subjects within the Enterprise RA's own organization and perform authentication of the individual identity.

In this case, the Enterprise RAs erroneously provided (only) organization information in the Subject:commonName field, where Individual information must be provided.

Lessons Learned

What went well

  • The self-audit process correctly identified the affected certificates and revocation was promptly organized.

What didn't go well

  • The affected customers (Enterprise RAs) did not provide correct Subject DN information required by the S/MIME BRs for sponsor-validated certificates.
  • An automated check for Subject:commonNames being equal to the Subject:organizationName was missing in the certificate issuance pipeline.

Where we got lucky

  • A limited number of customers (six) were affected.

Action Items

Action Item Kind Due Date
Revocation of affected certificates. Mitigate 2023-12-02 (end of day)
Setting up monitoring and alerting to detect certificates with this issue until preventative measures are in place. Detect Done
Reaching out to the individual customers and re-informing them of the permitted Subject:commonName values for sponsor-validated S/MIME Certificates. Prevent Done
Deploying a custom lint that blocks sponsor-validated certificates with Subject:commonName values equal to Subject:organizationName. Prevent Staging: 2023-12-15, Production: 2024-01-29

Appendix

Details of affected certificates

Serial number in hex representation:

  • 5452FEA5731FD2FA43AB1BEB
  • CF98260D2AFF48FB8A36DDA
  • 5E247D1E24CF9AAB86CA861
  • D21C991233B353FDADA94AC
  • D5AF8BCC0CE6D4BAFE8320
  • CD31C7302CA1FC94F35143
  • BF3DDDF58C692851E8C3054
  • F297B545DE075707EE9F29A
  • BE5D741F8D147601D0F4EDF
  • 817A32A2CE144BED631800D
  • 8743BBC7D55484C4281EF20

We confirm that all affected certificates were revoked by 2023-12-01 21:54 UTC.

We are on track to deploy the new lint to staging by 2023-12-15.

During the development of our new linting build, the team decided to also incorporate the latest lints provided by zlint. This requires additional development and testing.

We will therefore deploy this new release to staging by 2024-01-08. The production release schedule remains unchanged (latest by 2024-01-29).

Could we set the next update to 2024-01-08?

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] [smime-misissuance] → [ca-compliance] [smime-misissuance] Next update 2024-01-08

We completed the staging deployment and are on schedule for the production release.

There were no scheduled deliverables this week. We are on track for the production release.

Could we set the next update to 2024-01-29?

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] [smime-misissuance] Next update 2024-01-08 → [ca-compliance] [smime-misissuance] Next update 2024-01-29

We have completed the production zlint deployment beginning our preventative phase.

During our monitoring and alerting phase we encountered two additional certificate issuance's which resulted in revocation within 5 days for the certificates with serial number 61FEBE61C486CECBE9EF0CAC and 60F5162ECFF19BCC499FC684.

This concludes the identified remedial activities - unless there are any further questions we believe this issue can be closed.

I would like to close this on Wed. 31-Jan-2023.
Thanks,
Ben

Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] [smime-misissuance] Next update 2024-01-29 → [ca-compliance] [smime-misissuance]
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.