Asseco DS / Certum: Organization Identifier and Country field discrepancies
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: kateryna.aleksieieva, Assigned: kateryna.aleksieieva)
Details
(Whiteboard: [ca-compliance] [smime-misissuance])
Attachments
(1 file)
|
400 bytes,
text/plain
|
Details |
Preliminary Incident Report
Summary
We have identified that several S/MIME certificates were issued with discrepancies between the Organization Identifier and Country field.
Impact
The incident covers 4 certificates, including 1 S/MIME Organization and 3 S/MIME Sponsor.
Next steps
Mis-issued certificates will be revoked within the required 5-day period.
The full incident report will be published on or before the 20th of September.
|
||
Updated•14 days ago
|
|
Assignee | |
Comment 1•3 days ago
|
||
Incident Report
Summary
An incident occurred where 4 S/MIME certificates were issued incorrectly due to discrepancies between the OrganizationIdentifier and Country field. This was discovered during a scan that identified similar issues in 6 certificates, 2 of which had already been revoked. The root causes included initial validator limitations and confusion over country names. To address this, linting for S/MIME certificates was implemented, and the process for generating OrganizationIdentifiers was improved. Future plans include adding ISO Country Codes next to country names in user interface to prevent recurrence.
Impact
The incident affected a total of 4 certificates, including 1 S/MIME Organization and 3 S/MIME Sponsor certificates.
During the scanning process, we identified 6 certificates with discrepancies between the OrganizationIdentifier and the Country field. Out of these, 2 certificates had already been revoked prior to the discovery of the issue. The affected certificates share the common feature of having mismatched OrganizationIdentifier and Country fields, which led to the mis-issuance. There was no need to cease issuance during the incident.
Timeline
All times are UTC.
2023-09-01
BR for S/MIME certificates came into force.
2023-09-18
Incident involving S/MIME certificates with incorrect OrganizationIdentifier was created.
2023-12-14
A validator for the OrganizationIdentifier field was implemented.
2023-12-27 to 2023-12-28
Mis-issuance of 3 certificates: 644331929a7785025bd832b52f97fa2a, 0e5396e991038eba53d4892774b0c864, 19f230c34dd6ac7f88d717fab40892bd.
2024-02-12
Incident involving S/MIME certificates with errors in subjectAlternativeName was created.
2024-02-13
Mis-issuance of last certificate: 32abd6cb9f4ff4b5dcd6d73144453920.
2024-06-11
Deployment of the mechanism for automatic building of OrganizationIdentifier by the system.
2024-09-06
Scanning of all issued S/MIME certificates using pkilint and ZLint as part of the preparation for the pre-issuance linting deployment for S/MIME certificates.
2024-09-09
- 05:30 Scanning results were sent to the Compliance Team for verification.
- 07:30 Compliance Team started verification.
- 08:20 Compliance Team confirmed mis-issuances.
- 11:32 Incident was created.
- 11:57 - 13:54 Clients were informed about the mis-issuance and the need to revoke the incorrect certificates.
2024-09-10
- 07:59 - 08:01 Three mis-issued certificates were revoked: 19f230c34dd6ac7f88d717fab40892bd, 0e5396e991038eba53d4892774b0c864, 644331929a7785025bd832b52f97fa2a.
2024-09-13
- 10:30 Last mis-issued certificate was revoked: 32abd6cb9f4ff4b5dcd6d73144453920.
2024-09-18
- 19:20 Deployment of the pre-issuance linting for S/MIME certificates on production.
Root Cause Analysis
After our first mis-issuance of S/MIME certificates that had a wrong OrganizationIdentifier, we have planned to solve the problem in two steps. The first step was to improve the validator of that field in our system, ensuring that it checks for basic data integrity and compliance with the required format, reducing the chance of human errors when entering the number. The second step was to implement a mechanism that would fill the OrganizationIdentifier number and reduce the need to enter a number by hand.
This incident is a result of multiple contributing factors:
Initial Validator Limitations:
The initial validator, implemented in December, did not verify if the Country in the OrganizationIdentifier matched the Country code. This oversight allowed the validation officer to mistakenly use "PL" instead of "CZ" for one of the certificates.
Similar Country Names:
Three out of four mis-issued certificates had incorrect country fields due to selection of the wrong country from the list. The confusion between "People's Republic of China (Chińska Republika Ludowa)" and "Republic of China (Republika Chińska)" contributed to the mis-issuance. Despite the names being similar, they represent different countries according to ISO-3166 standard. The validation officer did not catch this error, leading to the issuance of certificates with incorrect country information.
Improvement completed in June, involved implementing a mechanism that fills the correct OrganizationIdentifier number based on the data provided by the client, and effectively reduced human errors and improved the accuracy of the information.
Lessons Learned
What went well
- All four certificates were issued before our last improvement in June, indicating that the new mechanism is effectively addressing the issue.
What didn't go well
-
The first version of the validator for OrganizationIdentifier, implemented in December, did not prevent these errors.
-
The similarity between country names caused confusion and errors. This indicates a need for mechanisms introducing a clearer distinction between country names and including ISO Country Code.
-
The validation officer did not catch the incorrect data, leading to the mis-issuance. This suggests a need to adjust training and documentation for validation officers.
Where we got lucky
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Implement linting for S/MIME certificates on production | Detect | 2024-09-18 (Completed) |
| Implement improved mechanism for generating OrganizationIdentifier | Prevent | 2024-06-11 (Completed) |
| Addition of ISO Country Code next to the country name in user interface | Mitigate | 2024-10-31 |
| Update training for validation officers by including a list of incorrect OrganizationIdentifier numbers in the training materials | Mitigate | 2024-09-30 |
|
|
Assignee | |
Comment 2•3 days ago
|
||
Description
•