1442091 - DigiCert: Unrevocation of BT Class 2 CA - G2 CA Certificate

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Ben Wilson]

Dear Mozilla Community,

As part of our efforts to meet the April 15 requirements imposed by the Mozilla Root Store Policy v.2.5, DigiCert has been reviewing CAs that only issue S/MIME and clientAuth certificates. To that effort, we have been contacting our PKI partners to determine whether any CAs are no longer active and can be revoked. As part of this process, we were informed by British Telecom that the BT Class 2 CA - G2 (Cert. Serial No. 0bdf8169f3686b1c5e8496ba30110e05) could be revoked. The VeriSign Class 2 Public PCA - G3 is a root CA that does not have the serverAuth bit enabled by Mozilla. It is the issuer of CA certificate BT Class 2 CA - G2, and on 6-February-2018 it issued CRL Number 00b0, including the above serial number for the BT Class 2 CA - G2.

On 8-February-2018 we were notified that the public tender service of Portugal was not working because a large majority of the certificates used to create digital signatures on contracting documents were chained to the revoked BT Class 2 CA - G2 certificate, i.e. that CA supported EU-qualified certificates used for the digital signing of offers submitted to the Portuguese government.

In an early attempt to resolve the issue on February 8, we re-signed the particular EU-Qualified issuing CA with the BT Class 2 CA - G3, a still-valid, unrevoked intermediate CA certificate. However, that effort failed, and the possibilities of re-signing the BT Class 2 CA - G2 or re-signing another EU Qualified CA with another unrevoked CA were rejected, because (1) there were approximately 10,000 affected end-entity certificates issued on smart cards, and all smart cards would have needed to be recalled and reissued to install a new certificate chain; and (2) in order to use a newly recertified CA, that CA would have needed to be submitted and approved as trusted by the Portuguese government. Either of these approaches alone was expected to take at least a month to accomplish.  Another option of educating end users on how to replace CA chains on their systems and cards was rejected over concern about the ability of these users to accomplish the task, with costly and substantial training efforts, also estimated to take several weeks, and still with the risk that such efforts would fail.

On 9-February, the DigiCert Policy Authority was consulted and briefed on the factors above, and the costs, time, and burdens on end users were considered. Standards, such as RFC 5280, were also considered. DigiCert contacted representatives of several browsers, including Mozilla, about its decision to roll back the revocation. Given that the revocation had taken place just three days prior and had resulted in significant burden to a large subscriber population, the DigiCert Policy Authority decided to remediate the revocation and publish a new CRL, number 00b1, (see http://crl.verisign.com/pca2-g3.crl) omitting the serial number for the previously revoked BT Class 2 CA - G2 certificate. 

As a result of this incident, DigiCert will be implementing additional steps, including working with cross-certified CAs and affected customers, to exercise greater scrutiny in our CA certificate revocation request and approval processes.

Sincerely yours,

Ben Wilson
on behalf of the DigiCert Policy Authority

Comment 1

[Wayne Thayer]

Ben: is there any more specific information that you can share regarding the additional steps that will be taken to prevent this in the future, and the timeline for enacting these?

Comment 2

[Ben Wilson]

DigiCert's CA Revocation Procedure document has already been updated and implemented. It now provides "3.  If applicable, obtain express written consent from the customer for each CA certificate to be revoked.  Stress that revocation is final."  It further provides, "10.	Reconfirm, with the customer, as an additional step, that revocation of the specified CA certificate is the intended action."

Comment 3

[Wayne Thayer]

My question has been answered. Marking this resolved.