Closed Bug 1420871 Opened 7 years ago Closed 6 years ago

Camerfirma: Potential Mis-Issuance based on CAA records

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: quirin, Assigned: ramirom)

Details

(Whiteboard: [ca-compliance] [ov-misissuance]) 

As per Gerv's request, I am filing individual bugs for [1] -- please confer to [1] for a full background.

In this case, Camerfirma appears to not have checked CAA records, as our historic data it was not permitted to issue. 

Private discussion raised the questions whether this had to do with precertificates. 
My interpretation is that the creation and logging of a precertificate requires a CAA check at that time. The "conversion" into the final certificate by including the SCTs does not require *new* CAA checks. However, SCTs and "not valid before" date suggest that the times of precertificate creation and final certificate creation were practically the same. Summing up, the CAA check was required for the pre-certificate, which was created in the same minute as the final certificate.

To proceed with this as a community, I guess answers to the the following questions from the affected CAs [1] would be of interest:
        a) Was CAA checking bypassed for this issuance? If so, why?
        b) If CAA lookups were conducted, what response did you receive? Why did it permit issuance? 



======= Certificate 16 - Group 4  =======
https://crt.sh/?id=257856701
           X509v3 Subject Alternative Name:
                ...
                DNS:am-hosting.de
               DNS:www.am-hosting.de
               DNS:*.am-hosting.de
                …
        Issuer: AC CAMERFIRMA
DNS history (Issued: Nov 16 14:28 GMT)
2017-11-12:am-hosting.de.      43200   IN      CAA     0 issue "letsencrypt.org"
2017-11-13:am-hosting.de.      43200   IN      CAA     0 issue "letsencrypt.org"
2017-11-14:am-hosting.de.      43200   IN      CAA     0 issue "letsencrypt.org"
2017-11-15:am-hosting.de.      43200   IN      CAA     0 issue "letsencrypt.org"
2017-11-16:am-hosting.de.      43200   IN      CAA     0 issue "letsencrypt.org"
2017-11-17:am-hosting.de.      43200   IN      CAA     0 issue "letsencrypt.org"
2017-11-18:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”

Zoomed (UTC timestamps)
2017-11-15-18:00:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”
2017-11-15-22:00:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”
2017-11-15-02:00:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”
2017-11-16-06:00:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”
2017-11-16-10:00:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”
2017-11-16-14:00:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”
        Issued: Nov 16 14:28 GMT
2017-11-16-18:00:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”
2017-11-16-22:00:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”
2017-11-17-02:00:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”
2017-11-17-06:00:am-hosting.de.      43200   IN      CAA     0 issue “letsencrypt.org”
Over to Camerfirma rep.

Gerv
Assignee: kwilson → ramirom
Whiteboard: [ca-compliance]
Hi Gev and Quirin.

As Quirin said, we have had private discussion about this issue.
Camerfirma bypassed CAA checking for the issuance of the affected certificate based on the sentence in the BR:

"CAA checking is optional for certificates for which a Certificate Transparency pre‐certificate was created and logged in at least two public logs, and for which CAA was checked"

Obviously is a Camerfirma misunderstanding of the sentence. In our humble opinion is a misleading sentence that it should be clarify.

Actions:

Certificate affected are already revoked 28/Nov/2017. Now it does not appear on https://misissued.com/batch/32/
CAA check control has been already activated in all our RAs.

Best Regards
Ramiro
Hi Ramiro,

(In reply to Ramiro Muñoz Muñoz from comment #3)
> Obviously is a Camerfirma misunderstanding of the sentence. In our humble
> opinion is a misleading sentence that it should be clarify.

I'm afraid I don't understand how the sentence is misleading, or what CAA checking Camerfirma actually did in this case and at what time. Can you clarify, perhaps with a timeline of events?

Gerv
Hi Gerv, just as a note, I think Camerfirma's interpretation might have been that CT logging absolves the need to check CAA.
> "CAA checking is optional for certificates for which a Certificate Transparency pre‐certificate was created and logged in at least two public logs, and for which CAA was checked"
Without the last "..., and for which CAA was checked", the sentence above would say that.
It would indeed, but the sentence does have the last clause, and if they indeed interpreted it as "CAA is optional if a cert is CT logged", I would like to know what they thought the last six words actually meant.

Gerv
Hi Gerv, you are compeltely right. 

The word "optional" take us to confusion, as Quirin point out.
It would be more apropiate to say that CAA cheking is "mandatory" either before the precertificate or the certificate issue. At least for hurried readers as me. We thought that CT, in some way, already do that checking. Sorry again for that.

Regards
Ramiro
Closing this out as the certificate has been revoked and no further actions are pending.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.