Closed Bug 2021685 Opened 3 months ago Closed 1 month ago

Asseco DS / Certum: Finding in Routine WebTrust Audit – S/MIME certificates issued with mailbox validation older than 30 days

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kateryna.aleksieieva, Assigned: kateryna.aleksieieva)

Details

(Whiteboard: [ca-compliance] [smime-misissuance])

Attachments

(2 files)

Appendix for Bug 2021685.txt
4.48 KB, text/plain
Details
Updated appendix for Bug 2021685.txt
13.31 KB, text/plain
Details

Preliminary Incident Report

Summary

  • Incident description: During the onsite audit conducted on 06 March 2026, auditors identified a potential issue regarding the e-mail verification process used for S/MIME certificates issued by Certum. After internal verification, we confirmed that the issue represents a deviation from the applicable requirements. Specifically, the requirement stating that completed validation of control of a mailbox SHALL be obtained no more than 30 days prior to issuing the certificate has not been met for certain certificates.
    Further investigation confirmed that 101 S/MIME certificates were affected. All affected certificates have been revoked, and subscribers were informed and instructed on how to replace their certificates. Certum has applied changes to the issuance system to ensure compliance with the requirement.
    A full incident report will be published no later than 20 March 2026.
  • Relevant policies: Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates, Section 4.2.1
  • Source of incident disclosure: WebTrust audit
Assignee: nobody → kateryna.aleksieieva
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [smime-misissuance]

After completing the revocation of the initially identified certificates, additional affected certificates were discovered during extended analysis; therefore, a separate incident related to delayed revocation has been opened (see: https://bugzilla.mozilla.org/show_bug.cgi?id=2023190).

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000061
  • Incident description: During the onsite audit conducted on 06 March 2026, auditors identified a potential issue related to the e-mail verification process used for S/MIME certificates issued by Certum.
    Following internal verification, Certum confirmed that the non-compliance from the requirement stating that validation of control of a mailbox SHALL be obtained no more than 30 days prior to certificate issuance was not met for a subset of certificates.
    Certum’s initial investigation identified 120 affected S/MIME certificates, where 101 remained valid and which were revoked, and subscribers were notified and instructed on certificate replacement. During subsequent incident review, Certum identified an additional scenario not covered by the original analysis, which resulted in discovery of 61 additional affected certificates, where 32 remained valid and required revocation. These certificates were revoked in a separate revocation event. Because they were identified only after the 24-hour revocation window had elapsed, Certum reported an additional Bugzilla incident regarding delayed revocation. The initial impact assessment did not identify all affected certificates because the original search script contained an incorrectly defined filtering condition, which caused a subset of affected certificates to be excluded from the initial results.
    In total, 181 S/MIME certificates were affected.
    Certum has applied changes in the issuance system to enforce compliance with the 30-day validation requirement.
  • Timeline summary:
    • Non-compliance start date: 2023-09-01
    • Non-compliance identified date: 2026-03-06
    • Non-compliance end date: 2026-03-11
  • Relevant policies: Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates, Section 4.2.1
  • Source of incident disclosure: WebTrust audit

Impact

  • Total number of certificates: 181
  • Total number of "remaining valid" certificates: 133
  • Affected certificate types: All S/MIME certificate types, including Mailbox, Individual, Organization, and Sponsor
  • Incident heuristic: Certificates were identified as affected if the time elapsed between e-mail validation and certificate issuance exceeded 30 days.
  • Was issuance stopped in response to this incident, and why or why not?: No. The configuration was corrected to enforce the 30-day validity period for email validation. Additionally, for certification requests already in progress, validation data was re-evaluated, and where it exceeded the allowed period, applicants were required to repeat the email validation prior to issuance.
  • Analysis: The incident was caused by a lack of a properly configured validity period in validation component. These conditions allowed reuse of e-mail validation data beyond the permitted 30-day period and resulted in non-compliant certificate issuance.
  • Additional considerations: All affected certificates were revoked, including those identified after the initial revocation event. A secondary investigation identified additional affected certificates that were not included in the initial scope.

Timeline

All times are UTC

  • 2023-09-01 S/MIME Baseline Requirements (BR) version 1.0.0 became applicable
  • 2023-09-01 Certum started issuing S/MIME certificates under S/MIME BR 1.0.0
  • 2026-03-06
    • 09:30 Auditors inquired about the e-mail verification period
    • 09:45 Certum initiated internal verification
    • 13:00 Certum confirmed the issue and initiated a mass revocation procedure, including analysis to determine the full scope of affected certificates
    • 14:25 A configuration fix was applied to prevent further non-compliant issuance
    • 15:40 Certum scheduled revocation of 101 identified certificates for 2026-03-07 at 08:15 UTC and initiated subscriber notification
  • 2026-03-07
    • 08:15 All initially identified certificates were revoked; CRLs were verified to confirm successful revocation
    • 10:05 Certum reported the incident on Bugzilla
  • 2026-03-11
    • 10:00 While working on a draft report for Bugzilla, Certum identified a more complex potential impact scenario
    • 11:15 Verification confirmed additional non-compliant certificates that were not captured in the initial assessment
    • 11:36 An additional fix was applied to address the newly identified scenario
    • 12:04 Certum obtained the complete list of 32 additionally affected certificates that required revocation
    • 13:10 Certum scheduled revocation of 32 additional certificates for 2026-03-12 at 09:05 UTC and notified subscribers
  • 2026-03-12
    • 09:05 All additionally identified certificates were revoked
  • 2026-03-13 Certum reported an additional Bugzilla incident regarding delayed revocation of 32 certificates identified after the 24-hour revocation window

Related Incidents

Bug Date Description
1829746 2023-04-24 DCV validation exceeded the allowed validity period due to a scenario where the CA system permitted issuance
1860299 2023-10-20 E-mail verification based on DCV validation exceeded the allowed validity period due to a scenario where the CA system permitted issuance

Root Cause Analysis

Contributing Factor #1: Missing dedicated configuration for S/MIME validation validity

  • Description: The validation component used a default (legacy) configuration that allowed reuse of validation data beyond 30 days. A dedicated parameter for S/MIME was not configured.
  • Timeline: Introduced during initial implementation of S/MIME BR (2023) and persisted until detection on 2026-03-06.
  • Detection: Identified during WebTrust audit inquiry.
  • Interaction with other factors: Combined with lack of validation age enforcement during issuance.

Contributing Factor #2: Insufficient review of existing configuration according to Baseline Requirements

  • Description: Existing validation mechanisms were assumed to be compliant and were not revalidated during S/MIME BR implementation.
  • Timeline: At implementation phase and subsequent reviews.
  • Detection: Identified during root cause analysis.
  • Interaction with other factors: Allowed configuration gap to remain undetected.

Root Cause:
The root cause of the incident was the absence of a properly configured validation validity parameter for S/MIME and this gap was not identified during implementation or subsequent reviews, allowing outdated validation data to be reused.

  • Root Cause Analysis methodology used: 5 Whys

Lessons Learned

  • What went well:
    • The incident handling process confirmed the operational effectiveness of Certum’s Mass Revocation mechanism
    • The incident also demonstrated that the mass revocation framework, originally implemented for TLS/SSL certificates, can be effectively applied to S/MIME certificates
  • What didn’t go well:
    • The initial analysis of the applicable Baseline Requirements was insufficient
    • The initial impact assessment contained an incorrectly defined filtering condition
  • Where we got lucky:
    • Most certificate requests are issued within 30 days, so fortunately only a very small number remain pending for longer periods.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Configure a dedicated parameter for S/MIME Prevent / Correct #1, #2 Dedicated S/MIME settings are verified; issuance is blocked if validation exceeds the allowed age 2026-03-06 Done
Create and maintain a registry/checklist of Baseline Requirements containing numeric and time-based constraints Prevent #2 A documented and approved registry exists and is verified 2026-03-27 In progress
Introduce production acceptance tests for numeric and date-based compliance constraints Detect / Prevent #1, #2 Test cases verify for defined numeric and temporal limits 2026-04-20 Planned

Appendix

Attached is a list of all revoked certificates.

The updated Appendix is attached, containing both the SHA256 hash and the certificate serial number in line with CCADB Incident reporting guidelines.

Action Items update

Action Item Kind Corresponding Root Cause Evaluation Criteria Due Date Status
Configure a dedicated parameter for S/MIME Prevent / Correct #1, #2 Dedicated S/MIME settings are verified; issuance is blocked if validation exceeds the allowed age 2026-03-06 Done
Create and maintain a registry/checklist of Baseline Requirements containing numeric and time-based constraints Prevent #2 A documented and approved registry exists and is verified 2026-03-27 Done
Introduce production acceptance tests for numeric and date-based compliance constraints Detect / Prevent #1, #2 Test cases verify for defined numeric and temporal limits 2026-04-20 Planned

Please set the “Next update” date to 2026-04-20 to align with the last action item.

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] [smime-misissuance] → [ca-compliance] [smime-misissuance] Next update 2026-04-20

Action Items update

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Configure a dedicated parameter for S/MIME Prevent / Correct #1, #2 Dedicated S/MIME settings are verified; issuance is blocked if validation exceeds the allowed age 2026-03-06 Done
Create and maintain a registry/checklist of Baseline Requirements containing numeric and time-based constraints Prevent #2 A documented and approved registry exists and is verified 2026-03-27 Done
Introduce production acceptance tests for numeric and date-based compliance constraints Detect / Prevent #1, #2 Test cases verify for defined numeric and temporal limits 2026-04-16 Done

All action items have been completed, and the closure report is scheduled for publication by 2026-04-23.

Whiteboard: [ca-compliance] [smime-misissuance] Next update 2026-04-20 → [ca-compliance] [smime-misissuance]

Report Closure Summary

  • Incident description: This incident was related to non-compliance with the requirement stating that validation of control of a mailbox SHALL be obtained no more than 30 days prior to certificate issuance for a subset of S/MIME certificates.
  • Incident Root Cause(s): The absence of a properly configured validity parameter for S/MIME in the validation component, combined with insufficient review of existing validation configuration against Baseline Requirements, which allowed reuse of validation data beyond the permitted 30-day period.
  • Remediation description: A configuration fix was applied to enforce the 30-day validation requirement during certificate issuance. Validation data for certification requests in progress was re-evaluated, and where it exceeded the allowed period, revalidation was required. All affected certificates, including those identified during the secondary investigation, were revoked.
  • Commitment summary: Certum has configured a dedicated parameter for S/MIME validation, established a registry of Baseline Requirements containing numeric and time-based constraints, and introduced production acceptance tests to verify compliance with defined numeric and temporal limits.

All Action Items disclosed in this report have been completed as described, and we request its closure.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2026-04-30.

Whiteboard: [ca-compliance] [smime-misissuance] → [close on 2026-04-30] [ca-compliance] [smime-misissuance]
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Whiteboard: [close on 2026-04-30] [ca-compliance] [smime-misissuance] → [ca-compliance] [smime-misissuance]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: