Closed Bug 1368171 Opened 3 years ago Closed 2 years ago

Firmaprofesional: Non-audited, non-technically-constrained intermediate certs

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: oconesa)

Details

(Whiteboard: [ca-compliance])

The following intermediate certificates, are not audited and are not technically constrained (vie EKU and domain constraints) even though they chain up to a root certificate in Mozilla's root store.

1) https://crt.sh/?id=26311938
commonName: Santander Digital Signature
SHA-256 Fingerprint: CB:C6:89:C8:7A:63:FA:73:23:A7:60:7C:C7:C4:57:B3:B4:50:57:2B:EF:A4:74:70:B6:1C:35:BF:07:9B:60:0B

2) https://crt.sh/?id=50901514
commonName: SEU Autoridad de Certificacion
SHA-256 Fingerprint: B8:9F:58:10:BB:6B:8F:A1:38:DE:C3:58:15:9A:C0:13:63:88:3F:0B:98:70:AE:A5:19:22:A7:EA:0E:C6:DD:13
Whiteboard: [ca-compliance]
Assignee: kwilson → oconesa
1) https://crt.sh/?id=26311938
commonName: Santander Digital Signature
SHA-256 Fingerprint: CB:C6:89:C8:7A:63:FA:73:23:A7:60:7C:C7:C4:57:B3:B4:50:57:2B:EF:A4:74:70:B6:1C:35:BF:07:9B:60:0B

This CA has been audited against eIDAs REGULATION, that involves, among others, the following ETSI European Norms:
* ETSI EN 319 401 v2.1.1
* ETSI EN 319 411-1 v 1.1.1
* ETSI EN 319 411-2 v 2.1.1

2) https://crt.sh/?id=50901514
commonName: SEU Autoridad de Certificacion
SHA-256 Fingerprint: B8:9F:58:10:BB:6B:8F:A1:38:DE:C3:58:15:9A:C0:13:63:88:3F:0B:98:70:AE:A5:19:22:A7:EA:0E:C6:DD:13

This CA has been revoked due to cessation of operation. This fact has been already updated at the CCADB.
See ARL at: http://crl.firmaprofesional.com/fproot.crl
(In reply to chemalogo from comment #1)
> 1) https://crt.sh/?id=26311938
> commonName: Santander Digital Signature
> SHA-256 Fingerprint:
> CB:C6:89:C8:7A:63:FA:73:23:A7:60:7C:C7:C4:57:B3:B4:50:57:2B:EF:A4:74:70:B6:
> 1C:35:BF:07:9B:60:0B
> 
> This CA has been audited against eIDAs REGULATION, that involves, among
> others, the following ETSI European Norms:
> * ETSI EN 319 401 v2.1.1
> * ETSI EN 319 411-1 v 1.1.1
> * ETSI EN 319 411-2 v 2.1.1

Then please update the corresponding record in the CCADB to fill in the audit information section, as described here:
http://ccadb.org/cas/fields


> 
> 2) https://crt.sh/?id=50901514
> commonName: SEU Autoridad de Certificacion
> SHA-256 Fingerprint:
> B8:9F:58:10:BB:6B:8F:A1:38:DE:C3:58:15:9A:C0:13:63:88:3F:0B:98:70:AE:A5:19:
> 22:A7:EA:0E:C6:DD:13
> 
> This CA has been revoked due to cessation of operation. This fact has been
> already updated at the CCADB.
> See ARL at: http://crl.firmaprofesional.com/fproot.crl

Indeed. It will be added to OneCRL soon.
(In reply to Kathleen Wilson from comment #2)
> (In reply to chemalogo from comment #1)
> > 1) https://crt.sh/?id=26311938
> > commonName: Santander Digital Signature
> > SHA-256 Fingerprint:
> > CB:C6:89:C8:7A:63:FA:73:23:A7:60:7C:C7:C4:57:B3:B4:50:57:2B:EF:A4:74:70:B6:
> > 1C:35:BF:07:9B:60:0B
> > 
> > This CA has been audited against eIDAs REGULATION, that involves, among
> > others, the following ETSI European Norms:
> > * ETSI EN 319 401 v2.1.1
> > * ETSI EN 319 411-1 v 1.1.1
> > * ETSI EN 319 411-2 v 2.1.1
> 
> Then please update the corresponding record in the CCADB to fill in the
> audit information section, as described here:
> http://ccadb.org/cas/fields


Chema, any update on this?
Kathleen: It's been 10 weeks with no response from the CA on the bug. However, in Bug 1394595 it appears you received an out-of-band communication from the CA. Can you share when this was received, in the spirit of transparency?

Has there been any further investigation into why Firmaprofessional failed to meet the disclosure requirement, to this date? Despite Comment #1, it's been 70 days since Comment #2, and there's been no further details to ensure that the certificate was compliance. Further, the Issuing CA has not revoked this Subordinate - does Mozilla view that as an appropriate response of the CA?

I would like to suggest (for a separate discussion) that any certificate that Mozilla needs to address via OneCRL, but for which the CA has not also revoked, represents a serious and egregious problem to the ecosystem.
Flags: needinfo?(kwilson)
(In reply to Kathleen Wilson from comment #2)
> Then please update the corresponding record in the CCADB to fill in the
> audit information section, as described here:
> http://ccadb.org/cas/fields

I can confirm that this has NOT been done for the certificate "Santander Digital Signature":
https://ccadb.my.salesforce.com/001o000000xOl1s
(That URL may not work for all CCADB users.)
https://crt.sh/?id=26311938
However, given that the cert is now in OneCRL, perhaps the CA does not feel there is any need.

(In reply to Ryan Sleevi from comment #4)
> Kathleen: It's been 10 weeks with no response from the CA on the bug.
> However, in Bug 1394595 it appears you received an out-of-band communication
> from the CA. Can you share when this was received, in the spirit of
> transparency?
> 
> Has there been any further investigation into why Firmaprofessional failed
> to meet the disclosure requirement, to this date? 

The cert was disclosed in the CCADB on 8th November 2016.

> I would like to suggest (for a separate discussion) that any certificate
> that Mozilla needs to address via OneCRL, but for which the CA has not also
> revoked, represents a serious and egregious problem to the ecosystem.

I believe Kathleen is using OneCRL to deal with certs where the CA has asserted they are not issuing SSL from that subordinate, but there is no technical constraint.

Gerv
(In reply to Gervase Markham [:gerv] from comment #5)
> (In reply to Ryan Sleevi from comment #4)
> > Kathleen: It's been 10 weeks with no response from the CA on the bug.
> > However, in Bug 1394595 it appears you received an out-of-band communication
> > from the CA. Can you share when this was received, in the spirit of
> > transparency?
> > 
> > Has there been any further investigation into why Firmaprofessional failed
> > to meet the disclosure requirement, to this date? 
> 
> The cert was disclosed in the CCADB on 8th November 2016.

Gerv: I'm unclear; are you suggesting that disclosure in CCADB (without disclosing the audit details) meets the disclosure requirement?

I was trying to highlight that 70 days ago represents the request for feedback on the audits - and that it has been audited against 411-1 - with the remark 23 days ago from Kathleen that the CA requested revocation.

 > > I would like to suggest (for a separate discussion) that any certificate
> > that Mozilla needs to address via OneCRL, but for which the CA has not also
> > revoked, represents a serious and egregious problem to the ecosystem.
> 
> I believe Kathleen is using OneCRL to deal with certs where the CA has
> asserted they are not issuing SSL from that subordinate, but there is no
> technical constraint.

Yes, that historically reflects the case of proactive disclosure. However, we have a statement from the CA in Comment #1 indicating audits and adherence, while in Bug 1394595 indicating it's not being used for any of the PTC. The disclosure of the audit details, minimally, helps the community determine the consistency of these two statements. There's insufficient (public) information to determine whether the OneCRL was imposed, hence the Needs-Info :)
One thing at a time.

"Santander Digital Signature" is already, or should be, in the OneCRL.

This particular intermediate cert is already being added to OneCRL via 
https://bugzilla.mozilla.org/show_bug.cgi?id=1394595

Yes, we thought that, once the CA is in OneCRL, we did not need to provide this audit. And yes, this is is not issuing any SSL nor EV certificates. There is a SHA2 certificate of this CA technically constraints.

Anyway, as said before, this CA has been audited against eIDAs REGULATION, that involves, among others, the following ETSI European Norms:
* ETSI EN 319 401 v2.1.1
* ETSI EN 319 411-1 v 1.1.1
* ETSI EN 319 411-2 v 2.1.1

We already have (from June) a POSITIVE CAR (Conformity Assessment Report) but it is confidential. The CAB (Conformity Assessment Body) is AENOR, who is new auditing against these ETSI. They are defining the "format" of the public report/seal. We already have a DRAFT, that it is, unfortunately, confidential, too, but we expect to have that public seal during Setembre.
(In reply to chemalogo from comment #7)
> One thing at a time.
> 
> "Santander Digital Signature" is already, or should be, in the OneCRL.
> 
> This particular intermediate cert is already being added to OneCRL via 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1394595

Correct.

> 
> Yes, we thought that, once the CA is in OneCRL, we did not need to provide
> this audit. And yes, this is is not issuing any SSL nor EV certificates.
> There is a SHA2 certificate of this CA technically constraints.


We do not require BR or EV audits for intermediate certs that have been added to OneCRL.

Since this cert chains up to a root that has the Email trust bit enabled, a standard audit will be required as per the new rules that Gerv added to Mozilla's root store policy requiring publicly disclosed audits for intermediate certs that are not name constrained and are technically capable of issuing S/MIME certs.


> 
> but we expect to have that public seal during Setembre.

That seems fine to me, and is before the deadline:
https://wiki.mozilla.org/CA/Root_Store_Policy_Archive#2.5
"Technical constraints for email intermediates, which is (erratum) November 15, 2017 for existing non-qualifying intermediates to cease issuing, and April 15 2018 for them to be revoked or audited "
Flags: needinfo?(kwilson)
(In reply to Ryan Sleevi from comment #6)
> Gerv: I'm unclear; are you suggesting that disclosure in CCADB (without
> disclosing the audit details) meets the disclosure requirement?

Sorry that wasn't clear. I was just noting the disclosure date; I was not making a comment.

Gerv
It sounds like this can be closed Resolved/Fixed? I would prefer someone from Mozilla to confirm the OneCRL status of both.
(In reply to Ryan Sleevi from comment #10)
> It sounds like this can be closed Resolved/Fixed? I would prefer someone
> from Mozilla to confirm the OneCRL status of both.

Confirmed - both have been added to OneCRL. Thanks!
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.