Certificate Problem Reports
After learning a bit about EV certificates I decided to check out a few and see what they contain in the registration number field. It was very confusing when the first EV registration number I looked at, one used by rabobank[.]nl, couldn't be found in KVK's database (the Dutch organisation registry).
After investigating some more, it turned out that the certificate contained an old KVK number that had been deregistered, making the certificate faulty. I reported this to the certificate authority who started investigating.
Government certificates
I happen to have downloaded over 1 million certificates for a different project and began looking through those for other certificates with bad registration numbers. Using this, I found a certificate used by noord-holland[.]nl with "Government Entity" as their registration number despite having a real registration number, which is not allowed according to the EV guidelines:
For Government Entities that do not have a Registration Number or readily verifiable date of creation, the CA SHALL enter appropriate language to indicate that the Subject is a Government Entity.
This was also reported to the respective certificate authority and they started their own investigation.
Results
Both CAs reported back that they agreed the certificate was mississued, had scheduled a revocation for the affected certificate, would investigate the root cause of the mississuance, and would see if other certificates were affected.
133 certificates ended up getting revoked for Rabobank, and 27 certificates used by various Dutch government sites also had to be revoked.
Since CAs depend on trust, these incident reports are public:
- Rabobank: https://bugzilla.mozilla.org/show_bug.cgi?id=1891245
- Government Entities: https://bugzilla.mozilla.org/show_bug.cgi?id=1891531 For this one, a discussion followed about the somewhat ambiguous wording in the requirements CAs are expected to follow.
It was very interesting and encouraging to see how these, admittedly minor, issues got handled.
All certificates were revoked within 5 days of discovery, and a very thorough root cause analysis was done by both CAs.
It's also worth mentioning that the subscribers had to quickly replace their affected certificates. This doesn't always go well, but, from reading these incident reports, it wasn't a problem here. So, they definitely deserve praise too.
