Original URL: http://www.theregister.co.uk/2003/07/17/thawte_issues_doppelganger_certs_warning/

Thawte issues doppelganger certs warning

Deduping

By John Leyden

Posted in Security, 17th July 2003 16:11 GMT

Digital certificate specialist Thawte has discovered that its systems have issued certificates with duplicate numbers over the last few months.

If one of the paired certificates is revoked the other will also be disavowed. Which is a pain. But essential encryption and security functions are not affected.

A technical rep for the South Africa-based security firm assured us that each private key obtained for a certificate is unique regardless of the certificate's serial number. We're thankfully not looking at a repeat of the incident two years ago when Verisign mistakenly issued a pair of digital certificates to scam artists in Microsoft's name.

Nonetheless there's a problem of trust here, which Thawte acknowledges, where a potential customer might potentially encounter problems verifying a site's credentials.

To its credit, Thawte has been proactive about notifying affected customers this afternoon by email. The issue came to light during a routine disaster recovery and internal audit operation last month.

Since then Thawte techies have been developing tools to help identify potential number conflicts, and assuring themselves that more serious problems were not afoot - which happily they aren't. Over the next two weeks Thawte will send out another email message with complete instructions for customers on the most straightforward way to obtain a free reissued certificate the company is offering.

And why did Thawte's systems issuing duplicate certificates in the first place?

Our man at Thawte said that since the firm was acquired by Verisign two different types of signing have been applied. He suggested this was the root cause of the problem, which he was keen to add, has since been fixed. ®

Thawte's customer notification email

Dear Customer,

Thawte's digital certificate issuance system assigns a serial number to each Thawte certificate that is issued. Recently, we discovered it was possible for the system to assign the same serial number to more than one Thawte certificate. Because we take all such matters very seriously, we immediately resolved the problem, and do not expect it to be an issue going forward.

However, we have learned that you are among the customers whose Thawte certificates contain a serial number associated with another certificate. It is important to note that your certificate's security functionality has not been compromised in any way. It still fully authenticates your specified entity and provides complete encryption. Similarly, the certificate validity status shown on the certificate itself (which can be accessed by double-clicking on the lock icon), as well as on the Thawte Site Seal, is absolutely correct and also unaffected.

There is a minor related issue that may require some action on your part. Essentially, it is possible for your certificate to be incorrectly listed as "revoked" on Thawte's Certificate Revocation List (CRL). While this does not affect the secure operation of your certificate, it nonetheless needs to be corrected so that your customers always know your certificate is valid and in good standing in every possible scenario.

Your customers are not likely to see any impact from the above mentioned CRL scenario, since current browser versions do not automatically validate the CRL by default. However, we strongly recommend you obtain a reissued certificate to completely eliminate any possibility now and for the future, where automatic validation may occur by default in future browser versions. During the next two weeks we will be sending you an email message with complete instructions to enable you to get your free reissued certificate in the quickest and most convenient way possible.

In the meantime, if you cannot wait for our invitation to reissue your certificate, and you would like to know the status of your Thawte certificate, please go to https://www.thawte.com/cgi/server/checkDuplicateSerials.exe with your certificate order number and follow the instructions.

If you would like more information, please go to http://www.thawte.com/serial_faq.html to view our Frequently Asked Questions or you can contact us via:

* email at certreissue@thawte.com

* log a ticket on https://www.thawte.com/cgi/support/contents.exe

* chat - click on the link at http://www.thawte.com/html/SUPPORT/popups/contactsSUPPORT.html

For additional questions or concerns, you can contact us via email at pr@thawte.com.

External Links

Frequently Asked Questions on Duplicate Serial Numbers, by Thawte
SSL.org - everything you've ever wanted to know about digital certificate but have been too frightened to ask

Related Stories

Microsoft vexed by falsified certs
DNS inventor calls for security overhaul
Mixed VeriSign results, closes unit
There's certs and certs - VeriSign badmouths rivals
RSA touts DIY certificates
Royal Mail pulls plug on ViaCode digital certificate