Closed Bug 1944815 Opened 1 year ago Closed 11 months ago

GlobalSign: Organization-validated SMIME certificate with invalid organizationIdentifier for European country

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: christophe.bonjean, Assigned: christophe.bonjean)

Details

(Whiteboard: [ca-compliance] [smime-misissuance])

Preliminary incident Report

Summary

GlobalSign was notified by its post-linter of an organization-validated S/MIME certificate with invalid Subject:organizationIdentifier structure according to the Baseline Requirements for S/MIME which requires “For the NTR Registration Scheme, where the Legal Entity is registered within a European country, the NTR Registration Scheme SHALL be assigned at the country level.”

The affected certificate includes the scheme NTR, country DE and subdivision +BY and therefore has an invalid structure.

We’ll provide the full incident report report as soon as we have concluded our analysis, but no later than February 5, 2025.

Impact

One organization-validated SMIME certificate was issued with an invalid Subject:organizationIdentifier.

We completed the review of previously issued certificates and pending orders and no other certificates were affected. We will continue to monitor pending the remedial actions.

Timeline

All times are in UTC.

  • 2025-01-29 11:16 - Certificate issued and certificate post-linter notification sent to Compliance team.

  • 2025-01-29 11:32 - Compliance team confirms issue with Subject:organizationIdentifier, initiates investigation.

  • 2025-01-29 11:39 - Revocation scheduled for affected certificate.

Additional details will be added in the full incident report.

Root Cause Analysis

Training was provided to the vetting team about the structure of the organizationIdentifier and the limitations (including the example of Germany). The use of NTR for Germany was prohibited, but not technically limited in the vetting workflow. Due to human error, the invalid organizationIdentifier was approved by the vetting team.

Additional details will be added in the full incident report.

Lessons Learned

We will provide these details in the full incident report.

Action Items

We will provide these details in the full incident report.

Appendix

Details of affected certificates

Serial number and SHA256 hash:

4a1768c2ecb11f9e35773337 77F5378FE601BBBE28280930C74AE99C3F6501BAB39C8228B78861B5ECAE2B9B

Assignee: nobody → christophe.bonjean
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [smime-misissuance]

Incident Report

Summary

GlobalSign was notified by its post-linter of an organization-validated S/MIME certificate with invalid Subject:organizationIdentifier structure according to the Baseline Requirements for S/MIME which requires “For the NTR Registration Scheme, where the Legal Entity is registered within a European country, the NTR Registration Scheme SHALL be assigned at the country level.”

The affected certificate includes the subdivision +BY and therefore had an invalid structure.

Impact

One organization-validated SMIME certificate was issued with an invalid Subject:organizationIdentifier value: NTRDE+BY-HRB 159670.

Timeline

All times are in UTC.

Date (YYYY-MM-DD) Description
2025-01-29 11:16 Certificate issued and certificate post-linter notification sent to Compliance team.
2025-01-29 11:32 Compliance team confirms issue with Subject:organizationIdentifier, initiates investigation.
2025-01-29 11:39 Revocation scheduled for affected certificate.
2025-01-29 12:22 Compliance team completes review of all historically issued certificates and pending certificate requests. No additional issues found.
2025-01-29 12:28 Monitoring report set up for new certificate requests with similar invalid NTR structure.
2025-02-03 07:32 Deployment of a technical restriction in the vetting flow for NTR and European countries.
2025-02-03 10:04 Affected certificate revoked.
2025-02-05 13:02 Completed gap analysis of applicable organizationIdentifier requirements and coverage of checks within vetting and linting flows. Confirmed appropriate coverage of requirements when combining zlint and pkilint. Identified additional technical restrictions to be implemented in vetting workflow.

Root Cause Analysis

Training was provided to the vetting team about the structure of the organizationIdentifier and the limitations (including the example of Germany). The use of NTR for Germany was prohibited, but not technically restricted in the vetting workflow. Due to human error, the invalid organizationIdentifier was approved by the vetting team.

In our certificate issuance process, we perform pre-linting and post-linting. Our current pre-linter, zlint, does not have coverage for the relevant SMIME BR requirement, however pkilint (configured as post-linter) covers it. Pkilint was already scheduled for deployment as an additional pre-linter, but at the time of issuance we were in a transition phase where Pkilint was in monitoring mode, before fully enabling it as pre-linter.

The root cause is a combination of human error, missing a technical restriction within the vetting workflow (for the assignment at country level within the NTR scheme) and incomplete lint coverage of the requirement within pre-linter configuration at the time of issuance.

Lessons Learned

What went well

  • Using multiple linters (in this case pkilint as post-linter) enabled early detection of the certificate with invalid Subject:organizationIdentifier structure.

  • The internal escalation process ensured that the root cause was identified rapidly.

What didn't go well

  • Limited technical restrictions for the structure of the organizationIdentifier in the vetting workflow.

  • Incomplete lint coverage of the SMIME requirement within the current pre-linter configuration.

  • Pkilint was still in monitoring mode as post-linter, therefore not preventing issuance of the affected certificate during pre-linting phase.

Where we got lucky

  • Only one certificate was impacted.

Action Items

Action Item Kind Date Status
Enabling monitoring for new certificate requests with similar invalid NTR structure. Detect 2025-01-29 Done
Deployment of the technical restriction within the vetting flow for NTR and European countries. Prevent 2025-02-03 Done
Perform a gap analysis of applicable organizationIdentifier requirements and coverage of checks within vetting and linting flows. Mitigate 2025-02-05 Done
Prepare and assign refresher training to vetting teams on organizationIdentifier field. Mitigate 2025-02-13 Planned
Deployment of pkilint as pre-linter in production environment. Prevent 2025-02-13 Planned
Deployment of additional technical restrictions in vetting workflow based on gap analysis. Prevent 2025-02-21 Planned

Appendix

Details of affected certificates

Serial number and SHA256 hash:

4a1768c2ecb11f9e35773337 77F5378FE601BBBE28280930C74AE99C3F6501BAB39C8228B78861B5ECAE2B9B

We are on track to deliver the additional training, which has been prepared and will be delivered to all vetting agents tomorrow. We are also progressing as planned with the gap analysis.

Based on the results of QA testing for pkilint, the timeline for deploying to production has been revised. We expect to deploy in the production environment by February 21, 2025.

Could the “Next Update” please be set to February 21, 2025?

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] [smime-misissuance] → [ca-compliance] [smime-misissuance] Next update 2025-02-21

We delivered the training on February 13, deployed pkilint as pre-linter in the production environment on February 18, concluded our gap analysis and deployed additional technical restrictions in the vetting workflow on February 18.

This concludes the identified remedial activities.

Incident Report Closure Summary

  • Incident Description:

An S/MIME certificate included the subdivision +BY for Germany and therefore had an invalid structure according to the Baseline Requirements for S/MIME which requires “For the NTR Registration Scheme, where the Legal Entity is registered within a European country, the NTR Registration Scheme SHALL be assigned at the country level.”

  • Incident Root Cause(s):

The root cause is a combination of human error, missing a technical restriction within the vetting workflow (for the assignment at country level within the NTR scheme) and incomplete lint coverage of the requirement within pre-linter configuration at the time of issuance.

  • Remediation Description:

GlobalSign deployed a technical restriction within the vetting flow for NTR and European countries. We delivered additional training to the vetting agents, and completed the deployment of pkilint as pre-linter in production environment. Furthermore, we performed a gap analysis and introduced further technical restrictions in the vetting workflow.

  • Commitment Summary:

Our commitment is to continue monitoring for future changes related to the structure and contents of the subject:organizationIdentifier field to ensure the requirements are enforced through a combination of technical restrictions in the vetting workflow and/or linting.

All Action Items disclosed in this Incident Report have been completed as described, and we request its closure.

Flags: needinfo?(bwilson)

I intend to close this on or about next Wednesday, 26-Feb-2025, unless there are issues or questions to discuss.

Whiteboard: [ca-compliance] [smime-misissuance] Next update 2025-02-21 → [ca-compliance] [smime-misissuance]
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.