info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Incident report: Certificates with error in subject: postalCode
188 views
Skip to first unread message
Mads Egil Henriksveen
Nov 2, 2017, 2:48:00 AM11/2/17
to mozilla-dev-s...@lists.mozilla.org
Hi
Late last week we discovered three certificates issued from Buypass with an error in the subject:PostalCode for one dutch company. One of these certificates is available at https://crt.sh/?id=212774960
The postalcode should have been '3707BK' as registered in the European Business Register (EBR), but these three certificates were issued with the value 'NLD-3707BK' where NLD is the 3 letter UN country code for the Netherlands.
The inclusion of the three letter country code was indirectly caused by retrieving a three letter UN country code, instead of the two letter ISO 3166 country code. The three letter country code was then changed into a two letter country code to comply with BR 7.1.4.2.2 h). However, this change caused a formatting error in another data field used as input to the postalCode attribute and then again the inclusion of the three letter country code in the postalCode field in the certificates.
We have checked all issued certificates and concluded that these are the only three certificates with this error.
We consider this error to be minor since the certificates includes the zip or postal information as specified by BR 7.1.4.2.2 g), only prefixed with the country code. We have decided to not revoke the affected certificates since we do not consider this to represent any security concern and since the information is not misleading. This decision has also been discussed with our auditor.
However, since this is a deviation from our standard procedures (and not necessarily in compliance with the requirements), we decided to handle this as a "misissuance" and therefore send this incident report.
We will add an additional check in our certificate issuance system to identify any errors in the formatting of the postalCode field - together with a cablint/certlint control which already is planned. This will prevent issuance of certificates with this formatting error. These extra controls will be released by the end of this week.
We have also identified a bug fix for the country code formatting error, but this fix has not yet been scheduled.
Regards
Mads
Late last week we discovered three certificates issued from Buypass with an error in the subject:PostalCode for one dutch company. One of these certificates is available at https://crt.sh/?id=212774960
The postalcode should have been '3707BK' as registered in the European Business Register (EBR), but these three certificates were issued with the value 'NLD-3707BK' where NLD is the 3 letter UN country code for the Netherlands.
The inclusion of the three letter country code was indirectly caused by retrieving a three letter UN country code, instead of the two letter ISO 3166 country code. The three letter country code was then changed into a two letter country code to comply with BR 7.1.4.2.2 h). However, this change caused a formatting error in another data field used as input to the postalCode attribute and then again the inclusion of the three letter country code in the postalCode field in the certificates.
We have checked all issued certificates and concluded that these are the only three certificates with this error.
We consider this error to be minor since the certificates includes the zip or postal information as specified by BR 7.1.4.2.2 g), only prefixed with the country code. We have decided to not revoke the affected certificates since we do not consider this to represent any security concern and since the information is not misleading. This decision has also been discussed with our auditor.
However, since this is a deviation from our standard procedures (and not necessarily in compliance with the requirements), we decided to handle this as a "misissuance" and therefore send this incident report.
We will add an additional check in our certificate issuance system to identify any errors in the formatting of the postalCode field - together with a cablint/certlint control which already is planned. This will prevent issuance of certificates with this formatting error. These extra controls will be released by the end of this week.
We have also identified a bug fix for the country code formatting error, but this fix has not yet been scheduled.
Regards
Mads
Nick Lamb
Nov 2, 2017, 8:27:09 AM11/2/17
to mozilla-dev-s...@lists.mozilla.org
My understanding is that postal codes written in this form are understood (even if not always specifically permitted) by many postal authorities and so this deviation would not be likely to impact deliverability of a snail mail letter sent (for whatever reason) to the address shown in the certificate.
Jakob Bohm
Nov 2, 2017, 12:33:04 PM11/2/17
to mozilla-dev-s...@lists.mozilla.org
On 02/11/2017 13:27, Nick Lamb wrote:
> My understanding is that postal codes written in this form are understood (even if not always specifically permitted) by many postal authorities and so this deviation would not be likely to impact deliverability of a snail mail letter sent (for whatever reason) to the address shown in the certificate.
>
The form usually understood by postal services is the one with
> My understanding is that postal codes written in this form are understood (even if not always specifically permitted) by many postal authorities and so this deviation would not be likely to impact deliverability of a snail mail letter sent (for whatever reason) to the address shown in the certificate.
>
two-letter country code, though once unparseable addresses are handed
over for manual (human) resolution, such typos are usually handled
gracefully, but perhaps with a delivery delay.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
0 new messages