Entrust: Improperly Verified Business Category
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: bruce.morton, Assigned: bruce.morton)
Details
(Whiteboard: [ca-compliance] [uncategorized])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
|
Assignee | |
Comment 1•10 months ago
|
||
Incident Report
Summary
Through re-verification required due to mis-issued certificates for bug #1918380, it was discovered there were EV Code Signing and VMC Subscribers which were verified with the incorrect business category as defined in the Code Signing Baseline Requirements and the VMC Requirements respectively. It was also discovered that in some cases, the Business Entity verification was incomplete.
All mis-issued certificates were revoked due to bug #1918380.
Impact
- Five (5) VMC Subscribers were verified as Business Entity, where they should have been Private Organization.
- Two (2) EV Code Signing Certificates were categorized as Business Entity, but verification was not completed in accordance with the CSBRs.
- One (1) Subscriber with no certificates was verified as Business Entity, where it should have been Private Organization.
- All certificates were revoked.
- All Subscribers have been re-verified or have been put in the process for re-verification.
Timeline
All times are UTC.
2024-09-12:
- 16:11 Verification advised that 2 Subscribers which were categorized as Business Entities did not complete the required verification for the Principal Individual. This is performed by requesting a personal statement reviewed/signed by a lawyer/notary.
2024-09-19:
- 14:53 Verification provided investigation of Subscribers categorized as Business Entities
2024-09-24:
- 14:37 - Compliance completed investigation and determined that all non-compliant certificates have been revoked per bug #1918380 and Verification had properly re-verified the Business Entities; however, it was also determined the Verification system needs improvement for Business Category selection and Business Entity validation.
Root Cause Analysis
Why was the wrong Business Category selected?
When a Subscriber submits an organization for EV verification, the default for Business Category is set to “none”. The verification system does not provide a default category based on the name of the organization.
When the Verification Specialist verifies an organization, the first selection is the Business Category. It is possible for the Verification Specialist to choose the Business Category before they have verified the organization. In addition, since the process for Private Organization and Business Entity verification requires similar information, it is possible to select an incorrect Business Category.
This EV verification method supports EV TLS, EV Code Signing, and Verified Mark certificates.
Why was Business Entity verification process not completed?
The Business Entity verification process requires validation of 1) legal existence, 2) organization name, 3) registration number and 4) principal individual. Items 1-3 are verified through a registration entity. Item 4 requires face-to-face validation of the principal individual associated with the Business Entity.
The Private Organization and Business Entity both require verification of items through a registration agency; as such, the start of the process is similar. However, Business Entity requires face-to-face validation, which is not stated in the verification system. For verification to be compliant, face-to-face information must be gathered and added as a comment.
With the similarity of Private Organization and Business Entity validation and the lack of the face-to-face requirement instructions in the system, there were errors where face-to-face validation was required, but not completed.
Lessons Learned
What went well
What didn't go well
- Incorrect Business Category was selected.
- Business Entity face-to-face validation was not completed for two (2) Subscribers.
Where we got lucky
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Update verification procedures to ensure fully alignment with the CPS and compliance requirements | Prevent | Done – 2024-09-25 |
| Re-train verification team on Business Category selection and Business Entity verification | Prevent | 2024-10-31 |
| Update verification system to better support Business Category selection and Business Entity verification | Prevent | TBD |
Appendix
Details of affected certificates
Affected certificates have been posted per https://bugzilla.mozilla.org/show_bug.cgi?id=1918380#c2.
|
||
Updated•10 months ago
|
|
|
Assignee | |
Comment 2•10 months ago
|
||
We are currently working on a solution and will update in the next 2-3 weeks. We will continue to monitor the bug.
|
|
Assignee | |
Comment 3•10 months ago
|
||
We are continuing to monitor the bug.
|
|
Assignee | |
Comment 4•10 months ago
|
||
We are working on the action to update the system. We are continuing to monitor the bug.
|
|
Assignee | |
Comment 5•9 months ago
|
||
We are working on the action to update the system. We are continuing to monitor the bug.
|
|
Assignee | |
Comment 6•9 months ago
|
||
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Update verification procedures to ensure fully alignment with the CPS and compliance requirements | Prevent | Done |
| Re-train verification team on Business Category selection and Business Entity verification | Prevent | Done |
| Update verification system to better support Business Category selection and Business Entity verification | Prevent | TBD |
We are planning to discontinue servicing Business Entity subscribers, which will mitigate the risk of selecting the wrong business category. Will follow up with an implementation date.
Please set the next update to 2024-11-30. Thanks.
|
|
||
Updated•9 months ago
|
|
|
Assignee | |
Comment 7•8 months ago
|
||
We have updated the action to address Business Entity. Entrust no longer issues certificates to new Applicants, which meet the EV Guidelines definition of Business Entity. This will apply to EV TLS, EV Code Signing and Verified Mark certificates. Deprecation of Business Entity has been implemented manually. Business Entity will also be removed from our certificate management service. We will delay requesting for bug to be closed until Business Entity is technically removed.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Update verification procedures to ensure fully alignment with the CPS and compliance requirements | Prevent | Done |
| Re-train verification team on Business Category selection and Business Entity verification | Prevent | Done |
| Remove Business Category applicant from the certificate management service | Prevent | 2025-03-15 |
Please set the next update to 2025-03-15. Thanks.
|
|
||
Updated•8 months ago
|
|
|
Assignee | |
Comment 8•5 months ago
|
||
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Update verification procedures to ensure fully alignment with the CPS and compliance requirements | Prevent | Done |
| Re-train verification team on Business Category selection and Business Entity verification | Prevent | Done |
| Remove Business Category applicant from the certificate management service | Prevent | Done |
Incident Report Closure Summary
- Incident Description: EV Code Signing and VMC Subscribers which were verified with the incorrect business category as defined in the Code Signing Baseline Requirements and the VMC Requirements respectively.
- Incident Root Cause(s): When the Verification Specialist verifies an organization, the first selection is the Business Category. It is possible for the Verification Specialist to choose the Business Category before they have verified the organization. In addition, since the process for Private Organization and Business Entity verification requires similar information, it is possible to select an incorrect Business Category.
- Remediation Description: Update verification procedures to ensure fully alignment with the CPS and compliance requirements. Re-train verification team on Business Category selection and Business Entity verification. Remove Business Category applicant from the certificate management service.
- Commitment Summary: Entrust is committed to ensure personnel procedures are aligned with the policy and personnel are trained to follow their procedures.
All Action Items disclosed in this Incident Report have been completed. We request bug closure.
|
|
||
Comment 9•5 months ago
|
||
I'll close this on or about Monday, 17-Mar-2025, unless there are comments or questions to discuss.
|
|
||
Updated•5 months ago
|
|
|
||
Updated•5 months ago
|
Description
•