SwissSign: modified fields were not saved into certificates and resulted in miss-issuance
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: sandy.balzer, Assigned: sandy.balzer)
Details
(Whiteboard: [ca-compliance] [ov-misissuance])
Attachments
(1 file)
|
17.62 KB,
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
|
Details |
Incident Report
Summary
We discovered during a review of our new web shop integration, that during the RAO check, field modification by the RAO in the system of the regulated fields Organization and State were not saved into the certificates.
So this resulted in mis-issued certificates with wrong contents.
Impact
This resulted in a total nr of 11 precerts and 11 TLS certificates (OV) that were mis - issued, since 22nd of December 2023.
For the period of initial internal investigation CA issuance was stopped and then taken up again when it was ensured that certs will be issued correctly.
During testing we discovered that only the OV RAO process is impacted while the EV process isn't. Therefore, we exchanged the OV process with EV process.
This results in a fully compliant RAO process.
Timeline
2024-01-25:
- 11:00 UTC we received an report about this issue from internal employee performing web shop review
- 11:30 UTC Compliance starts Investigation, confirms mis-issuance, starts mis-issuance process and stops RAO Approval of certificates ordered via web shop
- 14:00 UTC Identified Root Cause and identified mitigation
- 11:30 UTC Implementation of mitigation
- 16:00 UTC Information to audit body
2024-01-26:
- 16:20 UTC Posting of this Bugzilla
Root Cause Analysis
The problem only occurs in the new web shop.
Deep analysis showed a bug in the approval process of the RAO for OV certificates.
Lessons Learned
What went well
- Internal review brought the issue up.
- identified root cause quickly
What didn't go well
Where we got lucky
- identified fast mitigation
- that only a small number of certificates was affected and only those ordered by web shop.
Action Items
| Action Item | Kind | Due Date | Status |
|---|---|---|---|
| 1. Review of web shop | Detect | 2024-01-25 | Done |
| 2. Change of the RAO check to EV process | Prevent | 2024-01-25 | Done |
| 3. Revoke mis-issued certificate | Mitigate | 2024-01-30 | ongoing |
Appendix
Details of affected certificates
|
||
Updated•7 months ago
|
|
Assignee | |
Comment 1•7 months ago
|
||
Update: all certificates have been revoked and timeline corrected from typing error (14:00 UTC Identified Root Cause and identified mitigation).
Timeline
2024-01-25:
- 11:00 UTC we received an report about this issue from internal employee performing web shop review
- 11:30 UTC Compliance starts Investigation, confirms mis-issuance, starts mis-issuance process and stops RAO Approval of certificates ordered via web shop
-14:00 UTC Identified Root Cause and identified mitigation - 14:30 UTC Implementation of mitigation
- 16:00 UTC Information to audit body
2024-01-26:
- 16:20 UTC Posting of this Bugzilla
2024-01-30
- 15:30 corrected Timeline of Bugzilla from typo
- 16:45 update of Bugzilla
Action Items
| Action Item | Kind | Due Date | Status |
|---|---|---|---|
| 1. Review of web shop | Detect | 2024-01-25 | Done |
| 2. Change of the RAO check to EV process | Prevent | 2024-01-25 | Done |
| 3. Revoke mis-issued certificate | Mitigate | 2024-01-30 | Done |
For this Bugzilla there is no further action planned form our side.
If there are no further questions from the community, we would ask to close this Bugzilla.
|
|
||
Comment 2•7 months ago
|
||
I will leave this open for another week until 7-February-2024 in case there is further discussion.
|
|
||
Updated•7 months ago
|
Description
•