← HARICA cases
Bugzilla #1942130
Certificate Problem Report
HARICA: S/MIME certificate issuance without proper validation
RESOLVED
FIXED
HARICA
AI Summary
HARICA identified a flaw in their S/MIME certificate issuance process that allowed mailbox-validated certificates to be issued without proper email address validation. This issue arose from a recent update to their REST API on January 8, 2025. Upon receiving a report on January 15, HARICA quickly deployed a patch and revoked five mis-issued certificates within 24 hours. The root cause was traced to inadequate testing of the new API functionality. HARICA has since implemented a central validation checkpoint to prevent similar issues in the future.
Chronology
- Received a certificate problem report from a Subscriber.
- Confirmed the bug and deployed a patch.
- Revoked five mis-issued certificates.
- Completed refactoring code to implement a central validation checkpoint.
- Incident report closure summary provided.
Participants
Dimitris Zacharopoulos
bwilson@mozilla.com
External References
Similar Local Cases
HARICA: wrong characters in NC extension of Technically Constrained Intermediate CA Certificates
HARICA: Anomaly in OCSP services after CA software upgrade
HARICA: One of the two Certificate Problem Report email aliases not working
HARICA: Insufficient serial number entropy
HARICA: OCSP Responder Returned "Unauthorized" for Some Precertificates
HARICA: Incorrect OCSP Delegated Responder Certificate
HARICA: Certificates with invalid policy tree
Telia: Invalid email contact address was used for few domains