DigiCert: Incorrect Org ID Scheme in S/MIME
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: mfsull, Assigned: mfsull)
Details
(Whiteboard: [ca-compliance] [smime-misissuance])
Attachments
(1 file)
|
8.63 KB,
text/csv
|
Details |
This is a preliminary report and the full report will be posted later.
DigiCert via it’s self auditing was made aware of an issue with the Value in the organizationIdentifier field for some SMIME certificates.
The issue is that the NTR Scheme is being used with “government entity” incorrectly being listed.
This has impacted 2 customers with a total of 89 certificates.
These will be revoked within the 5 day period as specified in SMIME BRs.
These values for these 2 accounts were rectified so they could re issue end user certificates and a block on any new accounts being validated was implemented. Since then, a patch blocking this combination has been put into place stopping this from happening again and validation of accounts was restarted.
DigiCert is currently finalizing the investigation as to how this occurred with a finalized timeline and will post a full report by the 31st of May 2024.
|
Assignee | |
Comment 1•1 year ago
|
||
Steps to reproduce:
SUMMARY
During our self-auditing of certificates, DigiCert became aware of an issue with the value in the organizationIdentifier field for some SMIME certificates.
The issue is that the NTR Scheme being used with “government entity” was incorrectly listed.
IMPACT
Our thorough scans concluded that impact was to 89 S/MIME certificates across 2 customers.
TIMELINE -
00:51 22 May 2024 The Self audit team found a suspected bad org ID this was Sent to our investigations team to get a final determination on actions needed.
18:30 23 May 2024 Call with stake holders to determine this is an issue was confirmed, request to pull population was triggered.
22:59 23 May 2024 tentative list received for review and confirmation.
23:20 23 May 2024 Cease validation of new accounts until a fix could be deployed.
01:03 24 May 2024 list confirmed, and timer started.
05:05 24 May 2024 2 customer details corrected.
21:51 24 May 2024 Patch rolled out and validation restarted. This patch blocks a value the system does not recognize as a valid registration number from being entered if the NTR registration number is selected.
23:08 25 May 2024 this bug posted.
00:00 29 May 2024 89 certificates revoked
ROOT CAUSE ANALYSIS
When the order was processed, instead of selecting GOV scheme for these Orgs, the validation agent chose NTR scheme for Org ID. When the system asked for a registration number, the agent manually entered "Government Entity" as the registration number.
LESSONS LEARNED
WHAT WENT WELL
The Self-audit team caught this.
The patch to block this recurring was able to be rolled out fast.
Certificates replaced and revoked within the 5-day period.
WHAT DIDN'T GO WELL
This was still a manual step in our system.
WHERE WE GOT LUCKY
This only impacted a small number of certificates across 2 customers.
ACTION ITEMS
Action Item Kind Due Date
Cease issuance Prevent Complete
Patch to block reoccurring Prevent Complete
Revoke Certificates Mitigate Complete
APPENDIX
DETAILS OF AFFECTED CERTIFICATES
see attached
|
|
Assignee | |
Comment 2•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 3•1 year ago
|
||
DigiCert is monitoring for any questions
|
|
Assignee | |
Comment 4•11 months ago
|
||
As there seem to be no questions Ben can we close this as all action items are complete?
|
|
||
Comment 5•11 months ago
|
||
I'll close this sometime next week (June 17-21).
|
|
||
Updated•11 months ago
|
Description
•