Hi Late last week we discovered three certificates issued from Buypass with an error in the subject:PostalCode for one dutch company. One of these certificates is available at https://crt.sh/?id=212774960
The postalcode should have been '3707BK' as registered in the European Business Register (EBR), but these three certificates were issued with the value 'NLD-3707BK' where NLD is the 3 letter UN country code for the Netherlands. The inclusion of the three letter country code was indirectly caused by retrieving a three letter UN country code, instead of the two letter ISO 3166 country code. The three letter country code was then changed into a two letter country code to comply with BR 7.1.4.2.2 h). However, this change caused a formatting error in another data field used as input to the postalCode attribute and then again the inclusion of the three letter country code in the postalCode field in the certificates. We have checked all issued certificates and concluded that these are the only three certificates with this error. We consider this error to be minor since the certificates includes the zip or postal information as specified by BR 7.1.4.2.2 g), only prefixed with the country code. We have decided to not revoke the affected certificates since we do not consider this to represent any security concern and since the information is not misleading. This decision has also been discussed with our auditor. However, since this is a deviation from our standard procedures (and not necessarily in compliance with the requirements), we decided to handle this as a "misissuance" and therefore send this incident report. We will add an additional check in our certificate issuance system to identify any errors in the formatting of the postalCode field - together with a cablint/certlint control which already is planned. This will prevent issuance of certificates with this formatting error. These extra controls will be released by the end of this week. We have also identified a bug fix for the country code formatting error, but this fix has not yet been scheduled. Regards Mads _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
