Closed Bug 1455150 Opened Last year Closed Last year

DigiCert: Missing audits for Intermediate certificates

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wayne, Assigned: ben.wilson)

Details

(Whiteboard: [ca-compliance])

Attachments

(3 files)

The November 2017 Mozilla CA Communication included the following statement:

By April 15, 2018, all intermediate certificates (that chain up to root certificates included in Mozilla's program) that are capable of issuing S/MIME certificates but are not name constrained must be either audited and disclosed in the Common CA Database, or be revoked.

DigiCert has failed to disclose audit information for the following intermediate CA certificates in CCADB as required by section 5.3 of the Mozilla root store policy:

https://crt.sh/?sha256=e54131f139fc23c29c9bd3222e1ae71156194cadd281722dde6130397978e861&opt=mozilladisclosure

https://crt.sh/?sha256=88f3f465935d97e6cc22133a689ec6072637967102ec3f8fa96aebda5afae674&opt=mozilladisclosure

https://crt.sh/?sha256=d0abc9a8f60ad2fc60f6e2aa99160f911b9e37eca178771948b630cff0f5e234&opt=mozilladisclosure

https://crt.sh/?sha256=2804c62478b375827b653981c6d2773e4f3aceeacfc6af9f9a538a131ca3663d&opt=mozilladisclosure

https://crt.sh/?sha256=3b703f0853df25cf8e4c2399dfceac4979ad882c5232c2d581b2f321e32976be&opt=mozilladisclosure

https://crt.sh/?sha256=8962a8b18287071f8e9581832dbd2a1b9c5f4561039981ac64a15fc74680bbac&opt=mozilladisclosure

https://crt.sh/?sha256=1dc2da46ade3c1e7ebbe42e02f2e1a8e3bf7b1a3a63abf198fd41768463e429c&opt=mozilladisclosure

https://crt.sh/?sha256=1fb0db0ada2e163eee4b4cd99635f2a5e4ba861db7cd63658cf7f3dc520a94b4&opt=mozilladisclosure



Please either add the required audit information to CCADB, or revoke the certificate if it has not been audited. Also please provide an incident report, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
The incident report should be posted to the mozilla.dev.security.policy forum and added to this bug.
Trust Italia is in the process of obtaining an ETSI 319-411 audit.
The Bechtel CA will be revoked on or before May 1, 2018.

Microsoft has indicated that the two SMIME CAs are being replaced by a technically constrained / name-constrained CA that was created a few months ago.

What is Mozilla Policy on CAs that are not issuing but just exist to sign CRLs / OCSP responses?  What if technically constrained / name-constrained CAs exist that are replacing unconstrained ones?
(In reply to Ben Wilson from comment #2)
> What is Mozilla Policy on CAs that are not issuing but just exist to sign
> CRLs / OCSP responses?  What if technically constrained / name-constrained
> CAs exist that are replacing unconstrained ones?

Mozilla policy is that the unconstrained CA needs to be disclosed & audited, expired, or revoked - ceasing issuance isn't enough.
The Bechtel CA was revoked on 1 May 2018.

Here is a status report on Trust Italia:
"Our first day (24th april) of assessment with auditor (DNV) has been done and now we are moving forward to the second day (17th may)."

Here is a report on Microsoft's status:
"We are working to tighten up our rollover which includes card replace due to the ROCA vuln. This is expected to be complete in the middle of June but we are still working to pull the date in. Of the two S/MIME certs we currently have the Microsoft IT Email CA 2 (0727c993) can be revoked now but we would like to hold off on the Microsoft IT Email CA 1 until the middle of June." 

There is another CA, British Telecom, that has a current tScheme audit and is in the process of obtaining an ETSI audit from LSTI. "They have indicated that they can complete the audit of CA operations by 28th June and customer RAs by 20th July."
We plan on revoking the Microsoft email CAs on June 15.
Signature page from assessment report
Six-page report by DNV-GL from assessment period of 24-Apr-2018 to 18-May-2018.  DigiCert has asked Trust Italia to follow up with assessment materials that identify the CAs.
Trust Italia provided their ETSI Audit report (https://bugzilla.mozilla.org/attachment.cgi?id=8989208) for the following CAs:

Trust Italia Class 1 Consumer Individual Subscriber CA - G2
Trust Italia Class 2 Consumer Individual Subscriber CA - G2
Trust Italia Class 2 Managed PKI Individual Subscriber CA - G2

However, apparently they and their auditor did not understand that they needed to provide the SHA2 hashes for all CA certificates, not just the CA certificates currently in use.  So here is a re-cap on the audit status for the Trust Italia CA certificates listed above:

https://crt.sh/?sha256=2804c62478b375827b653981c6d2773e4f3aceeacfc6af9f9a538a131ca3663d&opt=mozilladisclosure
Same CA as https://crt.sh/?sha256=8962a8b18287071f8e9581832dbd2a1b9c5f4561039981ac64a15fc74680bbac&opt=mozilladisclosure

https://crt.sh/?sha256=3b703f0853df25cf8e4c2399dfceac4979ad882c5232c2d581b2f321e32976be&opt=mozilladisclosure
Same CA as https://crt.sh/?sha256=8962a8b18287071f8e9581832dbd2a1b9c5f4561039981ac64a15fc74680bbac&opt=mozilladisclosure

https://crt.sh/?sha256=8962a8b18287071f8e9581832dbd2a1b9c5f4561039981ac64a15fc74680bbac&opt=mozilladisclosure
Expressly listed in audit report linked above for Trust Italia Class 2 Consumer Individual Subscriber CA - G2

https://crt.sh/?sha256=1dc2da46ade3c1e7ebbe42e02f2e1a8e3bf7b1a3a63abf198fd41768463e429c&opt=mozilladisclosure
Expressly listed in audit report linked above for Trust Italia Class 2 Managed PKI Individual Subscriber CA - G2

https://crt.sh/?sha256=1fb0db0ada2e163eee4b4cd99635f2a5e4ba861db7cd63658cf7f3dc520a94b4&opt=mozilladisclosure
Same CA as https://crt.sh/?sha256=1dc2da46ade3c1e7ebbe42e02f2e1a8e3bf7b1a3a63abf198fd41768463e429c&opt=mozilladisclosure

All valid CA certificates for the Microsoft IT Email CA 2 were revoked on 5/22/2018.  However, Microsoft requested that we delay revocation of the CA certificates associated with the Microsoft IT Email CA 1 until August 1st.

LSTI, the ETSI auditor for British Telecom, did not start fieldwork for their ETSI audit until June 25.  We have asked them for an update on the status of their audit.
The two Microsoft Email CA 1 certificates were revoked on 6-August-2018.
I've confirmed that all of the certificates listed in this bug have been disclosed and audited or revoked. Also, DigiCert has no other disclosure issued reported at https://crt.sh/mozilla-disclosures
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.