SwissSign: S/MIME LCP not-permitted key usage
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: sandy.balzer, Assigned: sandy.balzer)
Details
(Whiteboard: [ca-compliance] [smime-misissuance] Next update 2024-11-15)
Preliminary Incident Report
Summary
During our annual Audit our audit body checked the S/MIME LCP certificates issued since last audit period and notified us that two certificates have an not-permitted legacy key usage. During the renewal of existing S/MIME certificates the legacy profile was used. Therefore, 3 instead of 2 key usages ended up in the new certificate. This violates our CPS.
We can confirm that only S/MIME certificates using our renewal process could be affected. Because of this we have stopped the e-mails enabling the customers to issue a certificate with the renewal process. We are also checking possibly affected historical certificates. Additionally, we have started our mis-issuance process to revoke the affected certificates.
Impact
2 S/MIME LCP certificates are affected.
First affected certificate issued: 2024-03-18 08:41 UTC
Last affected Certificate issued: 2024-06-10 15:20 UCT
Serial Numbers:
0x46960808538ea87b46daf488c0b12a1a0cf720a5 - SHA256 hash 78FFBFF4D1DB90EB4A94899DE5330A942C0DF7222E71DDED4D2D66F4405D6622
0x6d87a775e7fec1aaa3fca638ab63c346bb876558 - SHA256 hash 3D098B963684D6BE2E93E10BEF0AFE0F56E99FC85F9CCD62B334711C880E3FEF
Timeline
All times are UTC.
2023-09-01 S/MIME BR goes into effect
2024-03-18 08:41 First mis-issuance
2024-06-10 15:20 Last mis-issuance
2024-08-19 13:30
Investigation of certificates reported by audit body
2024-08-20 18:40
Posting of this Bugzilla
Root Cause Analysis
RCA is ongoing
Lessons Learned
What went well
- will be updated
What didn't go well
- will be updated
Where we got lucky
- only two certificates were mis-issued using our renewal process (based on the current information)
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| revocation of affected certificates | mitigate | 24.8.2024 at 12:30 UTC |
| stopped emails enabling customers renewal process | mitigate | 20.08.2024 |
Appendix
Details of affected certificates
see above in section Impact
|
||
Updated•3 months ago
|
|
Assignee | |
Comment 1•3 months ago
|
||
Summary
Update: We revoked both affected certificates before 24.8.2024 12:30 UTC
Timeline
All times are UTC.
2023-09-01
S/MIME BR goes into effect
2024-03-18, 08:41
First mis-issuance
2024-06-10, 15:20
Last mis-issuance
2024-08-19, 13:30
Investigation of certificates reported by audit body
2024-08-20, 18:40
Posting of this Bugzilla
2024-08-23, 09:17:19
Revocation of affected certs finished
2024-08-23, 16:30
Posting of update
Root Cause Analysis
Our investigation revealed that our CA software did not perform checks against the current certificate profiles but simply copied the profile from the old certificate.
Testing never discovered this bug because we never tested renewal during a certificate profile change.
Lessons Learned
What went well
- n/a
What didn't go well
- test scenario was not considered
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| revocation of affected certificates | mitigate | done 2024-08-23 09:17:19 UTC |
| stopped emails enabling customers renewal process | mitigate | done 20.08.2024 |
| extend test-coverage to include testing during certificate profile change | Prevent | to be defined |
|
|
Assignee | |
Comment 2•2 months ago
|
||
Update 2024-08-30
No update this week.
|
|
Assignee | |
Comment 3•2 months ago
|
||
Update
No update this week.
|
|
||
Comment 4•2 months ago
|
||
Can you provide a requested "Next Update" and associate it with a task that is based on your remaining action item? That way, we can have you report back to us at that time with a report on progress. Thanks, Ben
|
|
Assignee | |
Comment 5•2 months ago
|
||
Update 2024-09-18
While we are awaiting the code fix which will then need to pass our internal Q and A process, we are clarifying internally if the auto renewal feature will be removed from our products.
We kindly ask to set the next update to 2024-10-15
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| revocation of affected certificates | mitigate | done 2024-08-23 09:17:19 UTC |
| stopped emails enabling customers renewal process | mitigate | 20.08.2024 |
| extend test-coverage to include testing during certificate profile change | Prevent | to be defined |
|
|
||
Updated•2 months ago
|
|
|
Assignee | |
Comment 6•27 days ago
|
||
Update 2024-10-15
After careful examination we have decided to remove the auto-renewal feature in this form from our products.
This way we also make sure that renewals are processed correctly.
We kindly ask to set the next update to 2024-11-15
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| revocation of affected certificates | mitigate | done 2024-08-23 09:17:19 UTC |
| stopped emails enabling customers renewal process | mitigate | done 2024-08-24 |
| extend test-coverage to include testing during certificate profile change | Prevent | to be defined |
| remove auto renewal feature from product lines | Prevent | planned 2024-11-15 |
|
|
||
Updated•17 days ago
|
Description
•