Hi This is an incident report for one certificate issued by Buypass on September 23rd 2019 noncompliant with BR 7.1. The certificate, issued to a Swedish organization, has an error in the subject:postalCode field. The postalCode value is set to 2153 while the correct value should be 21532.
===How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. The error was discovered at 13:30 on September 25th 2019 during internal self-audit. ===A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done. We use several applications to register certificate requests. One of these applications, deployed June 2019, formatted the postal code for Swedish addresses wrong. The application retrieves correct address information from the Swedish Business Register (SE-21532 MALMÖ), but formats the postal code erroneous and stores this as SE-2153 MALMÖ. Timeline after the certificate was issued: 2019-09-23, 08:40: The certificate was issued with the erroneous postal code 2019-09-25, 13:30: The error in the certificate was discovered during internal self-audit 2019-09-26, 08:46: The certificate was revoked in agreement with the Subscriber 2019-09-26, 14:00: A bug in the application was identified, fixed and verified 2019-09-26, 15:00: We checked that no other certificates issued in the relevant period had the same error ===Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation. The bug in the application was fixed immediately so we have stopped issuing certificates with this problem. ===A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. One (1) cert – issued September 23rd, 2019 ===The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. https://crt.sh/?id=1916180124 ===Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. The bug was introduced due to a misunderstanding of how to format Swedish postal codes. We do perform manual controls to verify that address information is correctly formatted before issuance, but in this case the manual controls did not detect the formatting error. The application is used only for newly introduced type of certificates and the formatting error was only occurring for Swedish postal codes. The rare combination of requests for this certificate type and the Swedish organization was the main reason for not detecting the bug before. ===List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. We identified a bug in the application causing the formatting error in postal code field for Swedish addresses. This has been fixed and verified. We introduced an additional check in our certificate issuance system to identify any errors in the formatting of the postalCode field as described in a previous Incident with a similar error – see [1]. Unfortunately, this check was not activated for this specific type of certificates. We will ensure that this system control will cover all certificates such that any formatting error in the postalCode will interrupt the certificate issuance. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/g1up84dmKQo/pCRkFJd6BQAJ Regards Mads _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
