Closed Bug 1871393 Opened 10 months ago Closed 10 months ago

Asseco DS / Certum: Delayed revocation of EV certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: aleksandra.kurosz, Assigned: aleksandra.kurosz)

Details

(Whiteboard: [ca-compliance] [leaf-revocation-delay])

Attachments

(1 file)

Affected certificates.txt
7.68 KB, text/plain
Details

Incident Report

Summary

Certum has issued 138 EV TLS certificates since September 15, 2023, with an incorrect relative order of Subject attributes as defined in BR section 7.1.4.2. In bug 1865080 it was shown that the certificates were not revoked within the time specified by BR.

Impact

After September 15, 2023, a total of 138 EV TLS certificates were issued with the incorrect relative order of Subject attributes.
All certificates affected by this mis-issuance have been revoked on November 21, 2023

Timeline

All times are UTC +1.

2023-11-16 07:45 UTC Investigation started
2023-11-16 14:02 UTC A preliminary incident report was registered in Bugzilla
2023-11-21 Certum revoked all affected certificates
2023-11-23 Certum published a full incident report
2023-11-23 - 2023-12-21 Discussion in bug 1865080. Certum analyzed the discussion in bug 1865080 and decided to create a bug about the delay in revocation.

Root Cause Analysis

Our understanding about the revocation date was based on counting full days, and as per our records, the problem was acknowledged on 16.11.2023. We considered the full day of 21.11.2023 and subsequently revoked all certificates on that day, meeting the 5-day baseline requirement. The revocations were completed on 21.11.2023. As proven in bug 1865080, this reasoning is incorrect, so we are report this bug to clarify this situation.

Lessons Learned

What went well

  • The discussion in the bug led us to the correct understanding of the deadline for certificate revocation.

What didn't go well

  • We incorrectly understood the distinction in BR into hours and days, which led to a delay in the revocation.

Where we got lucky

  • N/A

Action Items

Action Item Kind Due Date
We will change our internal instructions from 5 days to 120 hours for revocation. Prevent 2024-01-15

Details of affected certificates

In attachment

Based on Incident Reporting Template v. 2.0

Assignee: nobody → aleksandra.kurosz
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [leaf-revocation-delay]

I will close this on 29-Dec-2023 unless there is a need for further discussion.

Flags: needinfo?(bwilson)

We have no additional updates for this bug.

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Summary: Asseco DS/Certum: Delayed revocation of EV certificates → Asseco DS / Certum: Delayed revocation of EV certificates
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: