Asseco DS / Certum: Delayed revocation of EV certificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: aleksandra.kurosz, Assigned: aleksandra.kurosz)
Details
(Whiteboard: [ca-compliance] [leaf-revocation-delay])
Attachments
(1 file)
7.68 KB,
text/plain
|
Details |
Incident Report
Summary
Certum has issued 138 EV TLS certificates since September 15, 2023, with an incorrect relative order of Subject attributes as defined in BR section 7.1.4.2. In bug 1865080 it was shown that the certificates were not revoked within the time specified by BR.
Impact
After September 15, 2023, a total of 138 EV TLS certificates were issued with the incorrect relative order of Subject attributes.
All certificates affected by this mis-issuance have been revoked on November 21, 2023
Timeline
All times are UTC +1.
2023-11-16 07:45 UTC Investigation started
2023-11-16 14:02 UTC A preliminary incident report was registered in Bugzilla
2023-11-21 Certum revoked all affected certificates
2023-11-23 Certum published a full incident report
2023-11-23 - 2023-12-21 Discussion in bug 1865080. Certum analyzed the discussion in bug 1865080 and decided to create a bug about the delay in revocation.
Root Cause Analysis
Our understanding about the revocation date was based on counting full days, and as per our records, the problem was acknowledged on 16.11.2023. We considered the full day of 21.11.2023 and subsequently revoked all certificates on that day, meeting the 5-day baseline requirement. The revocations were completed on 21.11.2023. As proven in bug 1865080, this reasoning is incorrect, so we are report this bug to clarify this situation.
Lessons Learned
What went well
- The discussion in the bug led us to the correct understanding of the deadline for certificate revocation.
What didn't go well
- We incorrectly understood the distinction in BR into hours and days, which led to a delay in the revocation.
Where we got lucky
- N/A
Action Items
Action Item | Kind | Due Date |
---|---|---|
We will change our internal instructions from 5 days to 120 hours for revocation. | Prevent | 2024-01-15 |
Details of affected certificates
In attachment
Based on Incident Reporting Template v. 2.0
Updated•10 months ago
|
Comment 1•10 months ago
|
||
I will close this on 29-Dec-2023 unless there is a need for further discussion.
Comment 2•10 months ago
|
||
We have no additional updates for this bug.
Updated•10 months ago
|
Updated•5 months ago
|
Description
•