Hi

This is an incident report for one certificate issued by Buypass on September 
23rd 2019 noncompliant with BR 7.1. The certificate, issued to a Swedish 
organization, has an error in the subject:postalCode field. The postalCode 
value is set to 2153 while the correct value should be 21532.

===How your CA first became aware of the problem (e.g. via a problem report 
submitted to your Problem Reporting Mechanism, a discussion in 
mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the 
time and date.

The error was discovered at 13:30 on September 25th 2019 during internal 
self-audit.

===A timeline of the actions your CA took in response. A timeline is a 
date-and-time-stamped sequence of all relevant events. This may include events 
before the incident was reported, such as when a particular requirement became 
applicable, or a document changed, or a bug was introduced, or an audit was 
done.

We use several applications to register certificate requests. One of these 
applications, deployed June 2019, formatted the postal code for Swedish 
addresses wrong.  The application retrieves correct address information from 
the Swedish Business Register (SE-21532 MALMÖ), but formats the postal code 
erroneous and stores this as SE-2153 MALMÖ.

Timeline after the certificate was issued:

2019-09-‎23, 08:40: The certificate was issued with the erroneous postal code
2019-09-25, 13:30: The error in the certificate was discovered during internal 
self-audit
2019-09-26, 08:46: The certificate was revoked in agreement with the Subscriber
2019-09-26, 14:00: A bug in the application was identified, fixed and verified
2019-09-26, 15:00: We checked that no other certificates issued in the relevant 
period had the same error


===Whether your CA has stopped, or has not yet stopped, issuing certificates 
with the problem. A statement that you have will be considered a pledge to the 
community; a statement that you have not requires an explanation.

The bug in the application was fixed immediately so we have stopped issuing 
certificates with this problem.


===A summary of the problematic certificates. For each problem: number of 
certs, and the date the first and last certs with that problem were issued.

One (1) cert – issued September 23rd, 2019


===The complete certificate data for the problematic certificates. The 
recommended way to provide this is to ensure each certificate is logged to CT 
and then list the fingerprints or crt.sh IDs, either in the report or as an 
attached spreadsheet, with one list per distinct problem.
https://crt.sh/?id=1916180124


===Explanation about how and why the mistakes were made or bugs introduced, and 
how they avoided detection until now.

The bug was introduced due to a misunderstanding of how to format Swedish 
postal codes.

We do perform manual controls to verify that address information is correctly 
formatted before issuance, but in this case the manual controls did not detect 
the formatting error.

The application is used only for newly introduced type of certificates and the 
formatting error was only occurring for Swedish postal codes. The rare 
combination of requests for this certificate type and the Swedish organization 
was the main reason for not detecting the bug before.


===List of steps your CA is taking to resolve the situation and ensure such 
issuance will not be repeated in the future, accompanied with a timeline of 
when your CA expects to accomplish these things.
We identified a bug in the application causing the formatting error in postal 
code field for Swedish addresses. This has been fixed and verified.

We introduced an additional check in our certificate issuance system to 
identify any errors in the formatting of the postalCode field as described in a 
previous Incident with a similar error – see [1]. Unfortunately, this check was 
not activated for this specific type of certificates. We will ensure that this 
system control will cover all certificates such that any formatting error in 
the postalCode will interrupt the certificate issuance.

[1] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/g1up84dmKQo/pCRkFJd6BQAJ

Regards
Mads



_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to