← Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) cases
Bugzilla #1693304
Certificate Problem Report
FNMT: Issuance of QCP-n certificates without verifying identity
RESOLVED
FIXED
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT)
AI Summary
The Government of Spain's FNMT reported an incident regarding the issuance of QCP-n certificates without proper identity verification. Due to COVID-19 restrictions, the process for verifying identities was compromised, leading to potential non-compliance with Spanish law. The FNMT identified the issue during an audit and suspended the issuance of certificates under the affected procedure. They communicated with the relevant authorities to disable the procedure and initiated corrective actions. The incident did not imply a significant security breach but raised concerns about compliance with legal requirements.
Chronology
- New procedure implemented for certificate issuance.
- Incident detected during annual audit; issuance service suspended.
- Potential incident fully diagnosed.
- Incident reported publicly.
Participants
alain@fnmt.es
pfuentes@wisekey.com
ryan.sleevi@gmail.com
pablo@anf.es
bwilson@mozilla.com
External References
Similar Local Cases
FNMT: Invalid localityName
Apple: EV Certificate Approver Authorization
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information
GoDaddy: Failure to revoke key-compromised certificates within 24 hours
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value
Sectigo: Failure to revoke key-compromised certificate within 24 hours
Sectigo: potentially invalid organizational validation certificates
IdenTrust: Undisclosed Unrevoked ICAs