Open Bug 1896596 Opened 25 days ago Updated 8 days ago

SECOM: Certificates Issued with lower case value in subject:countryName

Tracking

(Not tracked)

Status:

ASSIGNED

People

(Reporter: fumia-ono, Assigned: fumia-ono)

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

Attachments

(1 file)

CertList_20240514-140certs.txt 17 days ago ONO Fumiaki 12.17 KB, text/plain		Details

ONO Fumiaki

Assignee

Description

•

25 days ago

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140

Steps to reproduce:

We have not been able to determine at this time whether the TLS server certificates noted here qualify as mis-issued certificates, but we are submitting them to Bugzilla.

We have been notified that there are 16 TLS server certificates with C=jp on May 9, 2024.
We have confirmed that the subject:countryName of the noted certificates contain lower case alphabetic characters (C=jp).
We looked at other companies' cases and considered that it could be determined as a violation or mis issuance.
From the viewpoint that the benefits of allowing lowercase letters are very small at present, we decided not to issue certificates with lowercase value in subject:countryName.
In addition, we are strongly encouraging our subscribers to revoke regarding with the risk of judged as violation or mis issuance.

ISO 3166-1 version ambiguity

We have checked the relevant section of "Baseline Requirements for TLS Server Certificates".
7.1.2.7.4 Organization Validated
“The two-letter ISO 3166-1 country code for the country associated with the Subject.”

ISO3166-1:2020(newest one), “Section 5.1Code Element Formation” state that code element formation shall be consist of ”LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Z”.

On the other hand, Section 5.1 of ISO3166-1:2006 (which was not available as is, but Japanese translation, JIS X 0304:2011 is available on public, and we checked that one) does not mention such usage on 5.1.
Although both the 2020 and 2006 editions have descriptions in Section 5.3 on how to "Construct", description is only for construction of Code. Only the 2020 edition mentions using capital letters when forming it.

Based on the above as the background, and

The current Baseline Requirements references ISO 3166-1, but doesn’t specify which version does that.
From Baseline Requirements v.1.0 (Effective Date of 1 July 2012), references to ISO 3166-1 have continued to exist and unchanged.
We believe we did not have discussion on CABForum about change of version of ISO 3166-1

We believe there might be some ambiguity of which ISO 3166-1 we should refer, and there is ambiguity that BR is explicitly prohibiting use of capital letter in country code or not.

Directory name in PrintableString

According to Baseline Requirements "7.1.4.2 Subject Attribute Encoding", "Encoding Requirements" for "countryName" is "MUST use PrintableString".
We would like to point that, the syntax of C=JP part is written with Directory Name in mind, and it is PrintableString.
We agree use of lower-case letter is not common practice at all, but in directory name in PrintableString, we believe it is reasonable to match with case-insensitive, regarding with X.520 section 6.2.1 and 6.3.1 specification (RFC4517, RFC4518, RFC4519 also explain similar, but bit different).

X.520 6.2.1 stats following, and 6.3.1 Country Name do not re-define that.

name ATTRIBUTE ::= {
WITH SYNTAX UnboundedDirectoryString
EQUALITY MATCHING RULE caseIgnoreMatch
SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"name"}
ID id-at-name
}

Analysis and our practice

We believe intersection of ISO rule and X.500 series related rule has ambiguity,
so unless it were stated, we believe it is understandable to implement case-insensitive manner for country code matching (although we agree that it is better to use Capital letter).

To illustrate our position, let us provide our practice.
(Although we think it is a good chance to withdraw lower-case country code certificates, and withdraw another X.500 related specification.)

Our CAs use capital letter when CAs are using country code (ISO 3166-1 compliant).
-- Our user guides address user to input capital letter for country code.
-- Our documentations only use capital letters for country code.
-- When we are putting country code in certificate with their template, we use capital letters for country code.
In some of our systems, which use country code part from CSR to the certificate. (fit specification of X.520, and do not violate ISO 3166-1:2012)
-- We process country code regarding with the manner for PrintableString and directory name (i.e. case-insensitive match to “JP”, regarding with X.520 specification), according to interoperability concern at the time of implementation.

Countermesures

As a permanent measure, we are planning to config the system so that the subject:countryName of certificates will only be issued in uppercase (our systems have config for case sensitive/insensitive for country code matching).
Until the system configuration is reflected, we will continue to issue all certificates by checking the Subject of all certificates by Validation Specialists to ensure that any value other than C=JP is an examination error.
In addition, we are strongly encouraging our subscribers to revoke regarding with the risk of judged as violation or mis issuance.

Appendix

Details of affected certificates

Ben Wilson

Updated

•

25 days ago

Assignee: nobody → fumia-ono

Type: enhancement → task

Whiteboard: [ca-compliance] [uncategorized]

Mathew Hodson

Comment 1

•

22 days ago

(In reply to ONO Fumiaki from comment #0)

In some of our systems, which use country code part from CSR to the certificate. (fit specification of X.520, and do not violate ISO 3166-1:2012)

To me this seems like the main area for improvement. There have been many incidents (bug 1889672, bug 1843268, bug 1882256, bug 1839105 and more) where the root cause using the input from a CSR. A better approach might be to produce a new certificate from scratch using a limited set of values and values taken directly from your verification source.

Ben Wilson

Updated

•

20 days ago

Status: UNCONFIRMED → ASSIGNED

Ever confirmed: true

Ben Wilson

Updated

•

20 days ago

Whiteboard: [ca-compliance] [uncategorized] → [ca-compliance] [ov-misissuance]

ONO Fumiaki

Assignee

Comment 2

•

19 days ago

(In reply to Mathew Hodson from comment #1)
We agree with this point.
Prior to this case, some of our systems already running a mechanism in place where we override value from our pre-set lists, and make new certificates.
In this report’s case, the issuing path of those certificates are not on the above mechanism for country code.
We are planning to extend this practice for more fields with issuing path.

ONO Fumiaki

Assignee

Comment 3

•

17 days ago

Attached file CertList_20240514-140certs.txt — Details

ONO Fumiaki

Assignee

Comment 4

•

15 days ago

We completed revocation of 140 certificates on May 24, 2024.

ONO Fumiaki

Assignee

Comment 5

•

8 days ago

As a permanent measure, we are planning to config the system so that the subject:countryName of certificates will only be issued in uppercase (our systems have config for case sensitive/insensitive for country code matching).

We completed this permanent measure on May 30, 2024.

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

SECOM: Certificates Issued with lower case value in subject:countryName

Categories

(CA Program :: CA Certificate Compliance, task)

Tracking

(Not tracked)

People

(Reporter: fumia-ono, Assigned: fumia-ono)

References

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

ISO 3166-1 version ambiguity

Directory name in PrintableString

Analysis and our practice

Countermesures

Appendix

Details of affected certificates

Updated

Comment 1

Updated

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type