← SwissSign AG cases
Bugzilla #1914020
Certificate Misissuance
SwissSign: S/MIME NCP non ASCII symbols in email and SAN field wrong coding
RESOLVED
FIXED
SwissSign AG
AI Summary
SwissSign AG identified a misissuance of 98 S/MIME NCP certificates due to incorrect encoding of non-ASCII characters in the Subject Alternative Name (SAN) field. This issue was discovered during an annual audit, which revealed that the SAN field did not conform to the required standards. The affected certificates were revoked before the deadline, and measures have been implemented to prevent future occurrences, including the introduction of a linter to catch such errors. The incident highlights the importance of compliance with RFC standards in certificate issuance.
Chronology
- S/MIME BR chapter 7.1.2.4 released, requiring compliance with RFC 5280.
- First mis-issuance of affected certificates.
- Last mis-issuance of affected certificates.
- Activation of S/MIME linter to prevent further mis-issuance.
- Revocation of all affected certificates completed.
- Completion of test-coverage for non-ASCII characters.
Participants
Sandy Balzer
Stephan Verbücheln
B. Wilson
External References
Similar Local Cases
SwissSign: S/MIME LCP not-permitted key usage
SwissSign: wrong address in EV certificate
SwissSign: MPKI step-up process sets wrong JoI Locality
SwissSign: LDAP URL still in CRL distribution point (CDP)
SwissSign: difference in upper and lower case between CN field and SAN
SwissSign: Missed revocation and opening Bugzilla
SwissSign: modified fields were not saved into certificates and resulted in miss-issuance
SwissSign: Domain validated certificate but with stateOrProvinceName