Izenpe: Not allowed Qualifier ID OID on Certificate Policies extension
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: d-fernandez, Assigned: d-fernandez)
Details
(Whiteboard: [ca-compliance] [dv-misissuance] [ov-misissuance])
Attachments
(1 file)
|
8.28 KB,
text/plain
|
Details |
Incident Report
Summary
Analyzing Izenpe's certificates we have found out that we are including OID "1.3.6.1.5.5.7.2.2" (unotice)
in the certificate Policies section on our DV and OV profiles.
This qualifier ID OID has been been present in our certificates since the beginning.
According to the BR (since 2.0.0) 7.1.2.7.9, the only policyQualifier OID accepted under this section
is id-qt-cps (OID: 1.3.6.1.5.5.7.2.1) and thus, this is a violation of th BRs.
Impact
The affected certificates are all issued since Sept 15th 2023 of our DV and OV profiles, 266 in total.
Today we have stopped issuing these certificates.
Timeline
All times are UTC.
2023-09-15:
- BR's SC62 (Certificate Profiles Update) comes into force.
2024-01-25:
- 07:00 Reviewing Bugzilla latest bugs, we started analyzing if we were also affected by bug#1875942.
- 09:00 We found out that EV certificates were not affected but DV and OV were. We decided to stop issuing these certificates until the ssl profiles
were updated. - 11:00 We have generated a full list of all the certificates affected in order to communicate to our customers and to be published in bugzilla.
Root Cause Analysis
During the review of SC62 and comparing it with our certificates we did not realize about the change affecting "certificatePolicies" extension.
Also, not having an updated version of zlint on our systems has driven us to unnoticed this mistake previously.
Lessons Learned
What went well
Although we still don't have a full automated process for issuing certificates, most of the tasks are, so it's quite easy and fast
to reissue the new certificates.
What didn't go well
Revision of BR's latest version.
Update Frequency of tools like Zlint. It should be performed before ballots are effective.
Where we got lucky
It did not affect EV profile.
90% of affected certifcates come from few customers.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Stop issuing DV and OV certificats | Prevent | 2024-01-25 |
| Change DV and OV ssl profile | Remediation | 2024-01-26 |
| Revokation | Remediation | 2024-01-30 |
| Update Zlint | Prevent | 2024-02-05 |
Appendix
Details of affected certificates
See attached file
|
||
Updated•1 year ago
|
Hi,
as planned, we have resumed issuing certificates of our DV and OV profiles after changing their profiles to get rid of the OID "1.3.6.1.5.5.7.2.2" from the PolicyQualifier Ids.
The first one issued has been the following:
https://crt.sh/?id=11874450602
Regards
Hi,
at 16:30 UTC+1, we have finished revocating all certificates affected by this issue.
We continue as planned.
Regards
|
||
Updated•1 year ago
|
Hi,
we have succeeded installing and configuring zlint for our production enviroment.
No issues have been detected once it has started analyzing new certs.
|
|
||
Comment 4•1 year ago
|
||
I'll close this incident on or about Friday, 5-Apr-2024, unless there are questions to address.
|
|
||
Updated•1 year ago
|
Description
•