1929189 - SwissSign: S/MIME certificates deviate from CPR

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Mike Guenther]

Attachment: SMIME certificates 20241104.csv

Incident Report

Summary

This report covers a non-compliance of issued certificates under the SwissSign CPR S/MIME since version 6 (24 July 2023) up until we changed the issuing CA to 'SwissSign RSA SMIME NCP extended ICA-2024-1' on 10 September 2024. With this change we retired the old profile 'Sponsor-Validated E-Mail ID Gold'.
All affected S/MIME certificates have 4 key usages as defined in the CPR S/MIME v6 in chapter 3.3.3.7:
digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment
The misissuance happened because of the comment next to the key usage field. This comment was supposed to document which combination of key usages are allowed. However, the comment did not contain the variation to use all 4 key usages at the same time.

Impact

A total of 30967 sponsor-validated S/MIME certificates issued by the issuing CA 'SwissSign RSA SMIME NCP extended ICA-2022-1' are misissued. Of the 30967 a total of 24067 were still valid as per Monday, 04 November 2024, 07:30 UTC.
Misissuance began on 24 July 2023 and ended with the change to the new issuing CA 'SwissSign RSA SMIME NCP extended ICA-2024-1' on 10 September 2024.

Timeline

All times are UTC.

• 2023-07-24 Introduction of the new S/MIME NCP extended profile and publication of version 6 of the SwissSign CPR S/MIME
• 2023-07-24, 08:07 First misissued certificate
• 2024-08-13 Start of project to move public document management (such as TSPS/CPS/CP/CPR) to Markdown and Git based versioning (coming from Word and SharePoint). This project also contains automation of the CPR and CA configuration based on one source of truth.
• 2024-09-09, 17:50 Last misissued certificate
• 2024-09-10, start issuing of Sponsor-validated S/MIME certificates according to CPR for SMIME according to chapter 3.3.3.9 for ICA 'SwissSign RSA SMIME NCP extended ICA-2024-1'
• 2024-11-01, 14:30 Start of line by line review of old Word-based CPR against the new Markdown-based CPR
• 2024-11-04, 07:00 Review-meeting to discuss deviations between the two versions as well as other remarks
• 2024-11-04, 08:10 Realizing the error in the old CPR and checking in which version the error occured for the first time
• 2024-11-04, 08:15 Start of the misissuance process
• 2024-11-05, 08:25 Posting this Bugzilla

Root Cause Analysis

The error in the CPR was detected during a review of our public documents. This review was triggered as we are preparing to change the public documents management from Word-files to Markdown that are under version control.
This project has an additional improvement to the certificate profiles listed in our CPR. The source of the profiles in the CPR will be the same as the source that we use to configure our CA system. The idea being that the profile of the issued certificates cannot deviate from the profile in the CPR anymore.
As we wanted to be sure that the Word-version matches the Markdown-version we made a line by line review. During the review meeting one of the of the reviewer made a remark concerning the comments mentioned in the Summary above which was then brought to the attention of the Compliance team.
After a short internal discussion we recognized that this is indeed a misissuance which then triggered our internal misissuance process.
As for the root cause: The idea of the comment was to make it explicit which key usage combination we allow in our S/MIME certificates. At the same time we missed to mention that also all 4 key usages at the same time are also allowed. After speaking to the involved persons, we now know they interpreted the certificate profile in the CPR v6 as follows:
- The table field for 'Key Usage' defines the certificate profile with all 4 keys
- The comment field just adds to the variety of possible certificates profiles concerning the key usages (was not regarded as binding)
Based on today's analysis we now disagree with that previous assessment.

Lessons Learned

What went well

• the review of the old documents (Word) with the new ones (Markdown) enabled us to detect the error

What didn't go well

• during implementation of the sponsor validated S/MIME profile, the comment in the sponsor-validated profile was not properly reviewed
• the mis-match between certificate profile on the CA system and the CPR remained undetected for too long

Where we got lucky

• n/a

Action Items

Action Item	Kind	Due Date
Revocation of certificates	Mitigate	2024-11-09, 8:15 UTC
Update of CPR: mark profile for ICA 2022-1 as retired	Mitigate	2024-12-20
Go-live with CPR automation after being audited in the 2025 audit cycle	Prevent	2025-05-31

Appendix

Details of affected certificates

see attachment

Comment 1

[Mike Guenther]

We have revoked all affected certificates on time as per last Saturday. This leads to an update on the action items.

Action Items

Action Item	Kind	Due Date
Revocation of certificates	Mitigate	DONE 2024-11-09, 8:15 UTC
Update of CPR: mark profile for ICA 2022-1 as retired	Mitigate	2024-12-20
Go-live with CPR automation after being audited in the 2025 audit cycle	Prevent	2025-05-31

Comment 2

[Roman Fischer]

We continue to monitor this bug for questions.

Can we ask for next update to be set to 2024-12-20?

Thanks
Roman

Comment 3

[Stephan Verbücheln]

Around 3980 of the affected serials are not on the revocation list.

This yields the following questions:

1. Are all affected certificates revoked or expired?
2. Should they not be revoked even after expiration because clients could consider them valid for e-mails signed before the expiration date?

Comment 4

[Roman Fischer]

Dear Stephan,

I assume with "the revocation list" you mean the CRL.

1. All remaining (still active) affected certificates were revoked by us on 9th November. Of course some certs had already expired and many customers replaced and revoked their certificates before we forcefully revoked them.

2. CRLs do not hold entries for expired certificates. https://www.rfc-editor.org/rfc/rfc5280 states: "A complete CRL lists all unexpired certificates, within its scope, that have been revoked for one of the revocation reasons covered by the CRL scope."

I hope this answers your questions.

Kind regards
Roman

Comment 5

[Mike Guenther]

We continue to monitor this bug for questions.

Can we ask for next update to be set to 2024-12-20?

Thanks Mike

Comment 6

[Mike Guenther]

Today we published our CPR SMIME in which the issuing CA 'SwissSign RSA SMIME NCP extended ICA-2022-1' is now marked as retired (OCSP and CRL only).

Action Items

Action Item	Kind	Due Date
Revocation of certificates	Mitigate	DONE 2024-11-09, 8:15 UTC
Update of CPR: mark profile for ICA 2022-1 as retired	Mitigate	DONE 2024-12-19
Go-live with CPR automation after being audited in the 2025 audit cycle	Prevent	2025-05-31

May I ask to set the next update date to 2025-05-31 (after our external audit)?

Comment 7

[Mike Guenther]

The automation was implemented on UAT and then presented to our Auditors. Overall the automation workes as designed and we therefore bring it in PROD with the next release

Please set next update to 17 June 2025

Comment 8

[Mike Guenther]

The new system is now on PROD and has been tested. We created a new CPR based on the new automation and compared the certificate profiles with the currently published certificate profiles.

We did not find any deviation so we consider this action item as closed. Our next scheduled public CPR will be created using this automation.

Action Items

Action Item	Kind	Due Date
Revocation of certificates	Mitigate	DONE 2024-11-09, 8:15 UTC
Update of CPR: mark profile for ICA 2022-1 as retired	Mitigate	DONE 2024-12-18
Go-live with CPR automation after being audited in the 2025 audit cycle	Prevent	DONE 2025-06-10

If there are no follow-up questions I will create the closure report for this Bugzilla next week.

Comment 9

[Mike Guenther]

Report Closure Summary

• Incident description:
  The SwissSign ICA 'SwissSign RSA SMIME NCP extended ICA-2024-1' misissued 30'967 (of which 24'067 were still valid) sponsor-validated S/MIME certificates between 2023-07-24 and 2024-09-09. The misissuance happened because of a deviation between the certificate profile in the public documents (CPR) and the issued certificates.

• Incident Root Cause(s):
  Additional comments in the public document lead to the mismatch of the CPR-"certificate profile" and the certificate issued. The idea of the comment was to make it explicit which key usage combination are allowed. While we listed the sub-combinations with only 3 key usages we missed the combination with all 4 key usages.

• Remediation description:
  SwissSign attacked the issue with the following 3 action items:

• Revocation: SwissSign revoked all affected certificates within 5 days (done on 2024-11-09, 8:15 UTC)
• Public doc correction: We updated the CPR and marked the profile as retired (done on 2024-12-19)
• CPR automation: We now have a system in place which produces the leave certificates profiles based on the same source of truth as the CA uses. (done 2025-06-10)

• Commitment summary:
  We are commited to use the new system for all our upcomming public document publications which include a certificate profile.

All Action Items disclosed in this report have been completed as described, and we request its closure.

Comment 10

[incident-reporting]

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2025-07-01.