1918380 - Entrust: Business Entity not permitted in CPS

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Bruce Morton]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Comment 1

[Bruce Morton]

Preliminary Incident Report

Summary

CPS version 3.22 section 3.2.2.1 states:

Entrust does not issue Certificates to Business Entity Subjects as defined in EV SSL Guidelines section 11.2.2 or in VMC Requirements section 3.2.2.3.

Through an investigation to confirm the CPS statement was correct, it was discovered that Entrust does verify Business Entity Subjects in accordance with the Code Signing Baseline Requirements or the Mark Certificate Requirements. There were 2 EV Code Signing and 7 VMC unexpired certificates, which were issued to Business Entities.

Code Signing Baseline Requirements section 4.9.1.1 states:

The CA SHOULD revoke a certificate within 24 hours and SHALL revoke a Certificate within 5 days if one or more of the following occurs: 11. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement.

Mark Certificate Requirements section 4.9.1.1 states:

The CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days if one or more of the following occurs: 6. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement.

As such, the certificates issued to Business Entities are mis-issued and must be revoked as stated above.

Impact

Nine (9) certificates, 2 EV Code Signing and 7 VMC, were mis-issued to 9 different Subscribers. Subscribers have been notified of the mis-issuance. Certificate issuance was halted for Business Entity Subscribers by resetting the verification status of each client , which would require complete verification to request certificate issuance.

Next steps

• The CPS will be updated to correct the issue
• Mis-issued certificates will be revoked
• Business Entities will be re-verified
• Business Entities will be permitted to request replacement certificates
• A full incident report including the root cause analysis, lessons learned, and action items will be posted per the CCADB full incident report requirement.

Comment 2

[Bruce Morton]

Attachment: ev-business-category-20240910.csv

The attached are he mis-issued certificates.

Comment 3

[Bruce Morton]

We are currently working on the Incident Report and will plan to have posted by 2024-09-24.

Comment 4

[Bruce Morton]

Incident Report

Summary

CPS version 3.22 section 3.2.2.1 states:

Entrust does not issue Certificates to Business Entity Subjects as defined in EV SSL Guidelines section 11.2.2 or in VMC Requirements section 3.2.2.3.

Through an investigation to confirm the CPS statement was correct, it was discovered that Entrust does very Business Entity Subjects. There were 2 EV Code Signing and 7 VMC unexpired certificates, which were issued to Business Entities.

Code Signing Baseline Requirements section 4.9.1.1 states:

The CA SHOULD revoke a certificate within 24 hours and SHALL revoke a Certificate within 5 days if one or more of the following occurs: 11. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement.

Mark Certificate Requirements section 4.9.1.1 states:

The Issuing CA SHALL revoke a Subordinate CA Certificate within seven (7) days if one or more of the following occurs: 5. The Issuing CA is made aware that the Certificate was not issued in accordance with or that Subordinate CA has not complied with this document or the applicable Certificate Policy or Certification Practice Statement.

As such, the certificates issued to Business Entities are mis-issued and must be revoked as stated above.

Impact

Nine (9) certificates, 2 EV Code Signing and 7 VMC, were mis-issued to 9 different Subscribers. Certificate issuance was halted for Business Entity Subscribers by re-opening their clients, which would require complete verification to request certificate issuance.

Timeline

All times are UTC.

2022-02:

• CPS update request was drafted to implement CA/Browser Forum ballots and to provide clarity associated with the annual TLSBR/EVG self-assessment.

2022-02-22:

• CPS v3.10 was updated to state “Entrust does not issue Certificates to Business Entity Subjects as defined in EV SSL Guidelines section 11.2.2 or in VMC Requirements section 3.2.2.3.”

2024-09-10:

• 16:20 Product Management asked the Compliance team to investigate whether Entrust issues certificates to Business Entities.
• 17:27 Compliance sent a CPR to indicate there were 9 certificates which were mis-issued.
• 18:00 Incident Response Team met to review the incident.
• 20:25 Certificate issuance was halted for Business Entity Subscribers by re-opening their clients, which would require complete verification to request certificate issuance.

2024-09-11:

• 02:19 All subscribers were advised of the mis-issuance.

2024-09-12:

• 13:50 CPS update was published.

2024-09-15:

• 14:19 All certificates were revoked.

Root Cause Analysis

Why was the CPS updated to prevent certificates to be issued to Business Entities?

The Compliance Team was performing the annual TLSBR/EVG self-assessment. In response to the requirement “EVG 11.2.2(4) - principal individuals must be validated in a face-to-face setting”. The reviewer was not aware of the face-to-face process for EV certificates, so stated that “Entrust does not issue to Business Entity Subjects as such is not required to validate Principal Individuals.”

Why was the CPS error not addressed under CPS?

When these certificates were issued the CPS update process did not ensure that CPS changes would be reviewed by the practice owners. In this case, the Verification Team and the associated Product Manager did not review the CPS changes.

As part of the improvement plan addressed in the Report to the Mozilla Community, https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LhTIUMFGHNw/m/5wMgFvmhAAAJ (posted 21 June 2024), the Entrust Certificate Services Compliance Change Management Policy has been established to ensure that all changes are controlled, documented, and implemented in a manner that aligns with regulatory, legal, contractual, and organizational requirements. This change will ensure that all CPS changes are reviewed by the owner of the impacted practices.

In addition, the CPS will be moved to the markdown format. The planned CPS update process will limit the changes to specific topics to help ensure quick and thorough review of each CPS change request.

Lessons Learned

What went well

• CPR process was handled according to policy and certificates were revoked within required timeframes.

What didn't go well

• CPS did not reflect ongoing practices
• CPS was not verified by teams performing the practice

Where we got lucky

• Low volume of Subscribers were impacted

Action Items

Action Item	Kind	Due Date
Prepare Certificate Services Compliance Change Management Policy plan	Prevent	Done
Update CPS to allow verification of Business Entities	Prevent	Done
Verification team to review CPS to ensure their practices are accurate	Prevent	2024-10-31

Appendix

Details of affected certificates

Affected certificates have been posted per comment #2.

Comment 5

[Bruce Morton]

We will continue to monitor. We request the next update to be 2024-10-31.

Thanks, Bruce.

Comment 6

[Bruce Morton]

Action Items

Action Item	Kind	Due Date
Prepare Certificate Services Compliance Change Management Policy plan	Prevent	Done
Update CPS to allow verification of Business Entities	Prevent	Done
Verification team to review CPS to ensure their practices are accurate	Prevent	Done

All actions are complete. We request this bug be closed. Thanks.

Comment 7

[Ben Wilson]

I'll look at closing this on Wed. 6-Nov-2024. Any additional questions or issues should be raised before then.