certSIGN: Delayed revocation
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: gabriel.petcu, Assigned: gabriel.petcu)
Details
(Whiteboard: [ca-compliance] [leaf-revocation-delay])
Incident Report
Delayed revocation of a misissued certificates.
Summary
certSIGN received an email related to an incorrect relative order of Subject attributes as defined in BR section 7.1.4.2. As the email with a Certificate Problem Report was marked as junk, the reported certificate was not known by certSIGN to be analyzed/revoked according to CA/Browser Forum Baseline Requirements.
Impact
The certificate was not revoked in the due time.
Timeline
All times are UTC.
2024-03-05:
- 15:18 an email was received on the address revokecsgn@certsign.ro with a Certificate Problem Report about a non-conformity on the Subject Attribute Encoding order
- 15:18 the email was marked as Junk, due to the email filter from the Office 365.
2024-03-18:
- 13:07 an email was received from a different sender email address with the same Certificate Problem Report, that was not marked as Junk
- 16:00 start to investigate the facts & circumstances related to the certificate problem report
- 16:10 the third party informing certSIGN on the Certificate Problem Report was acknowledged
- 18:33 the Subscriber was informed about the incident and instructed to apply for replacement certificate as the affected certificate must be revoked
2024-03-20:
- 08:00 certSIGN informed the WebTrust auditors about the incident
- 22:30 the incident report was registered in Bugzilla
Root Cause Analysis
The email filter on the sender: dickson.linting.experiment@gmail.com sent the email to junk, so the email was not read.
Lessons Learned
What went well
- Immediate actions were taken when the error was identified
- The revocation process is going well once started
What didn't go well
- The persons responsible for receiving the emails on the revokecsgn@certsign.ro did not check the junk email folder
Where we got lucky
- After checking the Junk folder only this email was a legitimate revocation request.
Action Items
| Action Item | Kind | Due Date | Status |
| Check all emails in the Junk folder | Analyze | 2024-03-18 | Done |
| Start analyzing the problem and the revocation process | Correct | 2024-03-18 | Done |
| Train the responsibles regarding the Problem reporting mechanism| Prevent | 2024-03-29 | In progress |
Appendix
Details of affected certificates
https://crt.sh/?sha256=d706002eee804b37f85292abc2ca2ae1bcb6380dbf12f04247598d89e6852dd7
Based on Incident Reporting Template v. 2.0
|
||
Updated•7 months ago
|
|
Assignee | |
Comment 1•7 months ago
|
||
We revoked the non-conformant certificate within the maximum period of 5 days since certSIGN acknowledged the reception of the CPR.
|
|
Assignee | |
Comment 2•7 months ago
|
||
The responsibles allocated on the Problem reporting mechanism had an internal meeting, on 29.03.2024, focusing on different scenarios when emails received from external may be lost. The main effective action is a daily check of the Junk and Spam folders, that was included in the routine email check.
All the action items are closed now.
|
|
Assignee | |
Comment 3•6 months ago
|
||
We have no additional actions and consider the bug resolved unless there are further questions.
|
|
Assignee | |
Comment 4•5 months ago
|
||
We have no additional actions and consider the bug resolved unless there are further questions.
What changes have you made to the CPR process to ensure this doesn't happen?
The email filter on the sender: dickson.linting.experiment@gmail.com sent the email to junk, so the email was not read.
Why did this happen?
|
|
Assignee | |
Comment 6•5 months ago
|
||
As mentioned in the Root Cause Analysis: The email filter on the sender: dickson.linting.experiment@gmail.com sent the email to junk, so the email was not read.
The solution we agreed to apply is that all the persons responsible for receiving the emails on the revokecsgn@certsign.ro to check daily their junk email folder
why did the filters think that’s junk? I’ve administrated mail servers in the past and I would be able to get some information on why the mail server thought something is “junk”.
|
|
||
Updated•5 months ago
|
|
|
Assignee | |
Comment 8•5 months ago
|
||
As mentioned in the Root Cause Analysis: The email filter on the sender: dickson.linting.experiment@gmail.com sent the email to junk, so the email was not read.
The solution we agreed to apply is that all the persons responsible for receiving the emails on the revokecsgn@certsign.ro to check daily their junk email folder.
|
|
Assignee | |
Comment 9•5 months ago
|
||
Please ignore the above comment as it was a duplicate of Comment 6 - posted by mistake/
|
|
||
Comment 10•5 months ago
|
||
I would like certSIGN to investigate whether they can whitelist some characteristics or turn off junk-email filtering for messages sent to that email address.
|
|
Assignee | |
Comment 11•5 months ago
|
||
Hello Amir,
certSIGN is using Microsoft 365. Microsoft spam filtering marked the message from "dickson.linting.experiment@gmail.com" as spam because the spam confidence level (SCL) has value 5 and the email was delivered in the junk folder.
Hello Ben,
We have turned-off junk-email filters for messages sent to revokecsgn@certsign.ro.
|
|
||
Comment 12•5 months ago
|
||
Unless there are more questions or issues to raise, I intend to close this sometime next week (May 27-31).
|
||
Comment 13•5 months ago
|
||
Thank you for the information, I do not have any further questions.
|
|
||
Updated•5 months ago
|
Description
•