Status

NSS
CA Certificate Mis-Issuance
RESOLVED FIXED
a year ago
10 months ago

People

(Reporter: gerv, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-incident-response] )

Attachments

(6 attachments)

Last month GoDaddy filed an incident report concerning a problem with their domain validation system.

Here is our proposed remediation plan for GoDaddy, which has been agreed by them in m.d.s.policy.

1) As with all CAs, update all their domain validation code to use, in each case, at least one of the 10 approved methods from CAB Forum ballot 169;

2) Implement comprehensive automated testing for their domain validation
code for all issuance systems;

3) Make sure those tests automatically run when any change is made to
the code, before deployment, such that deployment is gated on a pass;

4) Get a statement from their auditors that these tests have been
created and positioned correctly in the deployment workflow.

All steps to be completed within 3 months. GoDaddy are requested to make progress updates here in this bug.

Gerv
(Assignee)

Updated

a year ago
Component: CA Certificates → CA Certificate Mis-Issuance
Whiteboard: [ca-incident-response]
Summary: GoDaddy Action Items → GoDaddy: Action Items

Updated

a year ago
Product: mozilla.org → NSS

Comment 1

11 months ago
This bug was posted almost six months ago, has GoDaddy supplied updates elsewhere?
Yes, GoDaddy completed all of these actions within 3 months of the request and communicated that information directly to Mozilla. We ran into an issue with the type of audit known as "Agreed Upon Procedures" (AUP) that was conducted to verify our implementation of the automated tests. The AUP audit statement would have fulfilled the requested action item but was required by our auditors to be under NDA between the parties (Mozilla, GoDaddy, and our auditors). After some discussion, Mozilla rejected this type of report since it runs counter to their principles of transparency. Instead, to meet the requirements of the remediation plan, we agreed to publish a description of our automated domain validation testing procedures, and then have our auditors include an assertion that the procedures are indeed in place in our annual audit statement. The procedures are published here: https://certs.godaddy.com/repository/certificate_practices/en/AutomatedDomainValidationTestingProcedures.pdf We are now awaiting our annual audit statements for the period ending June 30 to complete the process.
Created attachment 8905170 [details]
BR Audit Statement July 16 - Mar 17
Created attachment 8905173 [details]
BR Audit Statement April 17 - June 17
Created attachment 8905174 [details]
WebTrust Audit Statement July 16 - Mar 17
Created attachment 8905176 [details]
WebTrust Audit Statement April 17 - June 17
Created attachment 8905177 [details]
EV Audit Statement July 16 - Mar 17
Created attachment 8905178 [details]
EV Audit Statement April 17 - June 17
I have attached WebTrust CA, BR, and EV audits covering the audit period in which this incident occurred (July 2016 through March 2017) and the following period (April 2017 - June 2017). The latter set of reports include the Automated Domain Validation Testing Procedures (linked in my last comment) in the scope of the auditor's report, meaning that the procedures were tested and found to be functioning as described.

I believe this completes GoDaddy's action items related to this incident and this bug can now be closed.
(In reply to Wayne Thayer from comment #9)
> The latter set of reports include
> the Automated Domain Validation Testing Procedures (linked in my last
> comment) in the scope of the auditor's report, meaning that the procedures
> were tested and found to be functioning as described.

Is there anything in the text of those reports which can confirm this?

Gerv
QA Contact: gerv
(In reply to Gervase Markham [:gerv] from comment #10)
> (In reply to Wayne Thayer from comment #9)
> > The latter set of reports include
> > the Automated Domain Validation Testing Procedures (linked in my last
> > comment) in the scope of the auditor's report, meaning that the procedures
> > were tested and found to be functioning as described.
> 
> Is there anything in the text of those reports which can confirm this?
> 
As it was explained to me, the following statement contained in those reports means that our auditors confirmed that these tests are in place and working as described:

"Starfield has disclosed its business, key lifecycle management, certificate lifecycle management, and CA environmental control practices in its: ... Automated Domain Validation Testing Procedures"

The interpretation of the statement is that the auditor has confirmed that what we disclosed in the automated domain validation testing procedures document is what we are actually doing. It was further explained to me that our auditors have very little flexibility in the format of their opinion letter, so they couldn't make the statement clearer.
OK, thanks, Wayne.

Gerv
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → FIXED

Comment 13

10 months ago
Gerv: Just for redundancy, I did bring up this general approach as part of discussions had with auditors, and agree with Wayne's assessment. The path used here was an excellent way to achieve the goals stated, as there are significant challenges to achieving it different ways while having it be a public report.
You need to log in before you can comment on or make changes to this bug.