← IdenTrust Services, LLC cases
Bugzilla #1900492
Certificate Problem Report
IdenTrust: Invalid OrganizationIdentifier in S/MIME certificates
RESOLVED
FIXED
IdenTrust Services, LLC
AI Summary
IdenTrust Services, LLC identified an issue with the organizationIdentifier validation for S/MIME certificates during testing of a new PKI linting tool. The internal validation logic erroneously allowed the issuance of a certificate with an invalid organization validation scheme. Only one certificate was affected, which was promptly revoked within 24 hours of discovery. The root cause was traced to a lack of checks in the application for GOVUS entities, and corrective measures, including the deployment of the linting tool and updates to the validation logic, have been implemented.
Chronology
- Deploy Organization Validation Scheme per the S/MIME BR
- Issued S/MIME certificate with invalid registration scheme identifier
- QA operator discovered validation issue during testing
- Revoked the affected certificate
- Deployed the new S/MIME linting tool
Participants
IdenTrust
Mathew Hodson
Ben Wilson
External References
Similar Local Cases
IdenTrust: OCSP Signer Certificate Missing No-Check Extension
IdenTrust: Incorrect response for OCSP validation
IdenTrust: EV TLS certificate with wrong jurisdiction state for private organization
IdenTrust: TLS ICA with User Notice in Policy Qualifier
IdenTrust: Certificates with Invalid values for stateOrProvinceName
IdenTrust: Discrepancy in values of address fields within CN of SSL Certificates
IdenTrust: S/MIME certificates issued in violation of New S/MIME Baseline Requirements v1.0
IdenTrust: S/MIME Certificates issued without CAB Forum OID