Entrust: Jurisdiction Locality Wrong in EV Certificate
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: bruce.morton, Assigned: bruce.morton)
Details
(Whiteboard: [ca-compliance] [ev-misissuance] Next update 2024-01-31)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
|
Assignee | |
Comment 1•10 months ago
|
||
Summary
During our routine reverification of the account on November 17th, we identified that the Jurisdiction locality field of the account contained a “postal code” where the field should have either contained a “City” name or a “Null” if no city was required. We investigated to determine the cause for this error, and we discovered that on July 9th during a request to change a contact on the account, a manual error occurred where our verification team entered a postal code in the Jurisdiction locality field.
Impact
Two EV TLD and one EV Code signing certificates were miss-issued.
Timeline
2023-11-17:
- 09:30 UTC - Issue identified during annual re-verification and escalated for investigation.
- 14:30 UTC - Investigation started.
2023-11-20
- 21:20 UTC - Investigation completed and reported to director of compliance.
2023-11-21
- 15:00 UTC - Director of compliance confirmed investigation conclusions to support team and advised to revoke the certificates within 5-days.
- 15:30 UTC - Verification sent communication to customer to notify of mis-issuance and provide timeline to revoke, reissue certificates.
2023-11-26
- 14:50 UTC - All certificates were revoked.
Root Cause Analysis
The actions required for this ticket type (basic contact change for a contact) does not require a review of the jurisdiction information, however it was required due the following: VIRA vetting system was originally designed to require a selection of the incorporating agency for all organization types (non-commercial, government and private) even though the CA/Browser Forum only required it be included for “private organizations”. A product release this year included a change to only require an “incorporating agency” to be selected for “private organizations”. Since the field is not required for non-commercial and government organizations, any action to an existing account containing this field, triggered an update to review the jurisdiction tab information and select a “zip/postal code” as it recognized a “change” since the last reverification.
Although the action of a copy and paste of the postal code was manually entered in the locality field, it was not noticed by the Verification Specialist and they selected an override but neither the Verification Specialist/Verification Auditor detected the error in the field.
The Verification Auditor had limited visual indication that this field was modified. They review the fields required for the ticket type and didn’t catch the error during the review.
Lessons Learned
What went well
- The change has been performed in the past, but the error did not occur.
What didn't go well
- Verification Specialist made a human error, which was not detected by the Verification Auditor.
Where we got lucky
- Error was detected through routine annual re-verification.
- Error on a single account, so only impacted one customer and 3 certificates.
- Do to the error, we have identified 340 additional accounts which require the same change, so we can take care to make the change correctly.
Action Items
Will follow up with action items.
Appendix
Details of affected certificates
EV TLS certificates
EV Code Signing certificates
- S/N 16B32B9764FA3305F94F6675F3DF637 issued from https://crt.sh/?id=4507236369
|
||
Updated•10 months ago
|
|
|
||
Updated•10 months ago
|
|
|
Assignee | |
Comment 2•10 months ago
|
||
| Action Item | Kind | Due Date |
|---|---|---|
| Independent of re-verification, all 340 accounts to be updated | Prevent | 2023-12-11 |
| Software update to highlights changed fields in a ticket to provide better visibility for review and approval | Prevent | 2024-01-31 |
|
|
Assignee | |
Comment 3•10 months ago
|
||
Independent of re-verification of all 340 accounts was completed 7 December 2023.
|
|
||
Updated•9 months ago
|
|
||
Comment 4•9 months ago
|
||
Have you though about a lint that looks for known values in the locality name field? Something like checking that it doesn't contain an ISO country code, doesn't have the same value as the state field, or doesn't match a know ZIP code format. Does Entrust have existing lints on the locality fields?
|
|
Assignee | |
Comment 5•9 months ago
|
||
(In reply to Mathew Hodson from comment #4)
Have you though about a lint that looks for known values in the locality name field? Something like checking that it doesn't contain an ISO country code, doesn't have the same value as the state field, or doesn't match a know ZIP code format. Does Entrust have existing lints on the locality fields?
Thanks for brining linting up. We do have lints of the locality fields, but this is against validated data, which would not fix this problem as this data was wrong. We are strongly considering using a service such as melissa.com to ensure the locality fields are in the country which was verified. Still working on a plan.
|
|
Assignee | |
Comment 6•9 months ago
|
||
(In reply to Bruce Morton from comment #2)
Action Item Kind Due Date Software update to highlights changed fields in a ticket to provide better visibility for review and approval Prevent 2024-01-31
The software update was released 18 January 2024 to close this action.
All actions are now closed.
|
|
||
Comment 7•9 months ago
|
||
Thanks, Bruce. I believe this matter can now be closed. I'll close this on or about Wed. 24-Jan-2024.
|
|
||
Updated•8 months ago
|
|
||
Updated•5 months ago
|
|
|
||
Updated•5 months ago
|
Description
•