1891531 - Digicert: Government Entity listed instead of registration number

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Jeremy Rowley]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Steps to reproduce:

We received a report on April 13th that one certificate included the term "Government Entity" instead of the registration number. Upon investigation, we determined this certificate was mis-issued. We scheduled the revocation for April 18th (5 days after receiving the report). We are currently investigating other certificates with the term "Government Entity" to see if similar issues exist.

The certificate in question:
https://crt.sh/?id=10561909758

The issue stems from section 9.2.5:
"For Government Entities that do not have a Registration Number or readily verifiable date of creation, the CA SHALL enter appropriate language to indicate that the Subject is a Government Entity."

In Netherlands, KVK is the primary source of registration information. In some cases, KVK provides a registration number. Because KVK includes both entities with and without a registration number, our validation allow list permits KVK to have either a registration number or "Government Entity". We are currnetly unsure how to address this issue from a programmatic perspective considering both types of entities exist in the same database.

This is only a preliminary report about the incident. We will report back on April 21 after finishing our internal investigation.

Comment 1

[Jeremy Rowley]

Attachment: Final list of Government Entity

Comment 2

[Jeremy Rowley]

Incident Report

Summary

We received a Certificate Problem Report (CPR) for a single TLS certificate with the subject:serialNumber (https://crt.sh/?id=10561909758) listed as “Government Entity”. Although the entity is a government entity, the organization had an ID listed in the government source (KVK). Per Section
7.1.4.2.5 of the EV Guidelines, government entities can only list “Government Entity” if the government entity does not have a serial number or date of creation listed.

Our investigation showed that KVK includes government entities without an ID and with an ID. Our JOI template for KVK allowed for both because of this. We also found that all entities created after 2021 require an ID, and that many government entities already have an ID.
For remediation, we queried our database for all entities listed as “Government Entity” that were validated using KVK. We then reviewed each entry to determine whether the entry was correct. We found 27 incorrect certificates. To remediate, we removed “Government Entity” as an option for KVK. Any entities requiring “Government Entity” as its registration number will need to go through an escalation process.

Impact

27 unexpired certificates. All impacted certificates are already revoked or will be revoked five days from when we discovered the certificate with the issue.

Timeline

All times are UTC.

2024-04-13:
• 20:23 - We were notified by a third party that a certificate had “Government Entity” listed in the certificate despite having a KVK number.
• 20:59 – Requested data pull of certificates from KVK.
• 21:17 – We responded to the third party and agreed that the certificate was mis-issued based on the EV Guidelines.

2024-04-15
• 14:39 - Review of certificates from data pull initiated.
• 17:07 - Filed initial incident report.
• 23:10 – Removed government entity as an option from the KVK source listing.

2024-04-18
• 19:45 – Final list of impacted certificate obtained and revocation notices sent.

All certificates will be revoked before 19:00 on 2024-04-23.

Root Cause Analysis

The root cause was that KVK is used as a source for private and government entities in Netherlands. Some government entities use a registration number while others do not. Our system allows both types of government entities for this source. A validation agent incorrectly selected “Government Entity” for the registration number rather than selecting the actual registration number. We have removed “Government Entity” as an option for KVK for the front-line staff. Entities requiring “Government Entity” must go through an escalation process where a manager must review and select “Government Entity”. The escalation process is only permitted if KVK is the only source available for verification.

Lessons Learned

What went well

• Easy to detect error and determine scope of issue
• Limited number of customers

What didn't go well

• Our validation agent did not notice the registration number in the KVK source.
• Mixed data sources with both registration numbers and without registration numbers create obstacles in automation.

Where we got lucky

• A limited number of certificates were impacted.

Action Items

We have remvoed government entity as an option for KVK.

Appendix

Details of affected certificates
The affected certificates are listed in the attachment.

Comment 3

[Dimitris Zacharopoulos]

Hi Jeremy,

Have you also considered the language in section 3.2.2.2.1(2) (emphasis mine):

Government Entity Subjects

A. Legal Existence: Verify that the Applicant is a legally recognized Government Entity, in existence in the political subdivision in which such Government Entity operates.
B. Entity Name: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request.
C. Registration Number: The CA MUST attempt to obtain the Applicant's date of incorporation, registration, or formation, or the identifier for the legislative act that created the Government Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is a Government Entity.

It seems that some Government Entities do have a registration number or an identifier that could fit into the subject:serialNumber and this is the intent behind this subject attribute. In case there are "circumstances where this information is not available", then the CA MUST just enter something to indicate that the Subject is a Government Entity.

The sentence in 7.1.4.2.5 starts with "For Government Entities that do not have a Registration Number or readily verifiable date of creation", but does not say what applies for Government Entities that DO have "a Registration Number of readily verifiable date of creation".

IMO it should be ok to add a Registration Number under the "Government Entity" Business Category in the subject:serialNumber field if one can be obtained and verified, and it would be inappropriate to list such an entity as a "Private Organization".

Comment 4

[Jeremy Rowley]

Yes - that is the bug.

Some government entities have registration numbers. When they do have a regisration number, a CA is required to enter the registration number instead of using the date of creation or the term "Government entity". In the 27 certs listed, the validation agent entered "Government Entity" instead of using the regisration number.

The root cause is that this source was not locked down enough. KVK lists government entities with a registration number and government entities without a registration number. The majority have registration numbers. To ensure better compliance, we banned using KVK without entering a registration number. Government entities that do not have a registration number listed on KVK will need to go through an alternate source or receive an exception, which will only be granted if there isn't any other NL source that we can use for verification of JOI.

Comment 5

[Dimitris Zacharopoulos]

Thanks, I read the incident a bit fast... Thanks for the clarification.

At the same time, I think it would help if 7.1.4.2.5 was updated to clearly state that for Government Entities that have a Registration Number of readily verifiable date of creation, must use that identifier as the value of the subject:serialNumber field.

Thoughts?

Comment 6

[Jeremy Rowley]

I think the language is already very clear, but we can update it if anyone is confused.

This particular bug didn't result from a misunderstanding of the requirement. Instead, the validaiton person made the wrong choice when using the source. The only reason that happened is we allowed both because of the data in the validation source.

Comment 7

[Mathew Hodson]

I do think the language is a little confusing. The grammar suggests it should be interpreted like this: "The CA MUST attempt to obtain the Applicant's date of incorporation, the Applicant's date of registration, the Applicant's date of formation, or the identifier for the legislative act that created the Government Entity."

When read like that, it doesn't mention the entity's number. It says either a date or an identifier for legislation.

Comment 8

[Jeremy Rowley]

Yes - I agree it currently is ambigious whether you can insert the date of creation instead of the registraiton number where both exist.

"For Government Entities that do not have a Registration Number or readily verifiable date of creation, the CA SHALL enter appropriate language to indicate that the Subject is a Government Entity."

Registration Number = Date of Creation > Government Entity. In this bug, date of creation wasn't used so it's not really relevant to what happened. However, if you're talking more generaly, then I aboslutely agree we should clarify the order of preference as Registration Number > Date of Creation > Government Entity.

For this bug, I think all remediations are complete and we've explained what happened. Are there any more questions before we close it?

Comment 9

[Ben Wilson]

Hi Jeremy,
Could DigiCert sponsor a CABF ballot to clarify this requirement?
Thanks,
Ben

Comment 10

[Jeremy Rowley]

You bet. We'll have something for Italy. Do you want to keep the bug open until we propose the ballot or can we close the bug and do the ballot seperate? The ballot wouldn't have impacted or changed this bug as mentioned above.

Comment 11

[Ben Wilson]

I will close this bug on or about Wed. 1-May-2024.