Sectigo: Missing character in subject:organizationName attribute value
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: martijn.katerbarg, Assigned: martijn.katerbarg)
Details
(Whiteboard: [ca-compliance] [ov-misissuance])
Preliminary Incident Report
Summary
On 2024-07-26, we received a Certificate Problem Report reporting three certificates for the same Subscriber, all missing a single character in the subject:organizationName attribute value. The included name should have been spelled with two “l”’s, but was included with one.
Revocation of the reported certificates is scheduled for 2024-07-31 around 16:00 UTC.
We are currently investigating this incident. A full incident report will be posted no later than 2024-08-09.
Assignee | ||
Updated•2 months ago
|
Updated•2 months ago
|
Assignee | ||
Comment 1•2 months ago
|
||
Incident Report
Summary
On 2024-07-26, we received a Certificate Problem Report (CPR) reporting three certificates for the same Subscriber, all missing a single character in the subject:organizationName attribute value. The included name should have been spelled with two “l”’s, but was included with one.
A subsequent CPR was received on 2024-08-02, reporting a number of certificates also suffering from a missing character, where the organization suffix was included as “Limted”, rather than “Limited”.
Impact
10 affected certificates issued between 2023-07-14 and 2024-07-22.
Timeline
All times are UTC.
2024-07-26:
- 20:16 We receive a CPR from an external party, reporting 3 suspected misissuances. The German word “Gesellschaft” was included as “Geselschaft”.
- 21:43 We start an internal investigation based on the findings.
2024-07-27:
- 20:10 We confirm the certificates are misissued. We schedule a revocation event for 2024-07-31 around 16:00.
2024-07-29:
- 09:25 We request a database report of all issued certificates matching the same pattern, as well as the pattern showcased in bug 1910258.
2024-07-30:
- 00:13 We receive the requested database report.
- 07:00 We review the database report. No additional certificates are discovered.
2024-07-31:
- 16:29 All 3 reported certificates are revoked.
2024-08-02:
- 08:56 We receive another CPR from the same external party. A total of 7 certificates are reported where the organization suffix has been included as “Limted” rather than “Limited”.
- 09:10 We request a database report of all issued certificates containing “Limted” in the subject:organizationName attribute value.
- 10:11 We receive the requested database report.
- 10:20 No additional certificates are discovered in the database report.
- 10:30 We confirm the 7 reported certificates are misissued. We schedule a revocation event for 2024-08-07 around 05:00.
2024-08-07:
- 05:08 We revoke the 7 misissued certificates.
Root Cause Analysis
The subject:organizationName attribute value is one of the fields the customer needs to provide us. While in general we try to avoid relying on customer-provided data, it is not possible to validate an organization name without the customer first supplying the organization name in question. Unfortunately, in all these cases the missing characters started at this stage.
The subsequent validation process of the organization name, which is primarily a visual comparison of the provided name and the name as reported by the Registration QGIS source, did not catch the typographical error.
Additionally, automation we have in place for some validation sources has not yet expanded into the sources that were used for the affected certificates.
Lessons Learned
What went well
- Our continued stance on increasing automation in the validation of organization details and registration sources will likely have kept the number of affected certificates low.
What didn't go well
- We do not yet have full coverage of automation for information sources. While we attain for a 100% goal, that is something which may not be reached. Not every datasource allows, both in policy and/or from a technical perspective, to be automated.
- We did not have any additional preventative measures which would programmatically block the issuance of these certificates. While we have the option of adding terms to a block-list, typographical errors are nearly impossible to either predict, or add to such a list. The typographical errors possible just within the word “Limited” exceeds 175 options.
- We did not discover these certificates ourselves. Expanding on the above item, the total amount of typographical errors possible is enormous. That makes searching and discovering all potential misissued certificates due to a single typo a practical impossibility.
Where we got lucky
- N/A
Action Items
Action Item | Kind | Due Date |
---|---|---|
Add process to have validation agent confirm that the company name for a non-automated Registration QGIS (Reg.QGIS) source record matches that of the organization name to be included in the subject:organizationName attribute value. This has been completed initially by a validation policy requirement for validation staff to copy the organization name listed in the Reg.QGIS and paste it in the browser’s “Find” function, confirming the organization name is found within the targeted subject:organizationName attribute value, until we determine the correct measure to incorporate an automated check. | Prevent | Completed |
Appendix
Details of affected certificates
Assignee | ||
Comment 2•1 month ago
|
||
We are monitoring this incident for any questions and/or comments.
Assignee | ||
Comment 3•1 month ago
|
||
Ben, as there have not been any questions and/or comments, we request closing this bug.
Comment 4•1 month ago
|
||
Unless there are additional comments or questions, I intend to close this bug on or about Wed. 21-Aug-2024.
Updated•1 month ago
|
Description
•