DigiCert / ABB: Issues with DN, country code and keyUsage
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: brenda.bernal, Assigned: brenda.bernal)
Details
(Whiteboard: [ca-compliance] [ca-misissuance])
Attachments
(2 files)
Updated•7 years ago
|
Comment 1•6 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
Assignee | ||
Comment 3•6 years ago
|
||
Comment 4•6 years ago
|
||
Assignee | ||
Comment 5•6 years ago
|
||
Comment 6•6 years ago
|
||
Assignee | ||
Comment 7•6 years ago
|
||
Comment 8•6 years ago
|
||
Updated•6 years ago
|
Comment 9•6 years ago
|
||
Comment 10•6 years ago
|
||
Updated•6 years ago
|
Assignee | ||
Comment 11•6 years ago
|
||
My apologies for the long pause for a response due to the holiday break and the pace of getting information back at this time.
ABB has been making progress towards replacing email and server certificates as per our guidance. They expect to have all of their email certificates and a majority of their server certificates replaced by March 2019. Each server certificate requires coordination with each owner to understand deployment impact, which ABB has been working.
ABB’s delay in replacing all certificates is due to a diverse and geographically dispersed install base that is beyond the norm. For example, we are aware that ABB has certificates on servers that are used for critical civil infrastructure.
There’s another complication with this migration that we are working with ABB to resolve. Two of ABB's subordinate CAs issue code signing certificates that are used in Java. Revoking such a CA causes a problem. Even when code is timestamped prior to the revocation effective date of the CA that issued the end entity certificate that signed it, Java ignores the CA revocation effective date and treats the CA as if it was never valid, none of its certs were ever valid, and all code signatures are invalid. ABB shared this concern and we verified this behavior with our contacts at Oracle. We wish to explore alternative options such as OneCRL and CRLSet for the code signing CAs.
Comment 12•6 years ago
|
||
Thanks Brenda. I've re-read this bug to make sure I understand the full set of data and proposed plan, and am attempting to summarize it:
Baltimore CyberTrust Root
|
V
ABB Intermediate CA 5 (CA5)
| |
V V
Issuing CA 8 (CA8) Issuing CA 9 (CA9)
- 2016-08-23: DigiCert creates a certificate with Subject "CN = ABB Intermediate CA 5, O = ABB, C = CH".
- As best I can tell, this certificate, with serial 0f87aa7bb7fa2e649889df8f613ea020, is not disclosed via CT.
- This certificate had no leading dots in name constraints, with nameConstraints marked critical.
- 2016-08-25: A second intermediate, with the same name, is created
- As best I can tell, this certificate, with serial 0dddabcf71e65ef92c5d698929aa7aba, is not disclosed via CT.
- This certificate had leading dots in name constraints, with nameConstraints marked critical.
- 2016-09-01: A third intermediate, with the same name, is created
- As best I can tell, this certificate, with serial 0e0c6af7191c5c96a1de52cf09359b5d, is not disclosed via CT.
- This certificate had leading dots in name constraints, with nameConstraints not marked critical.
- 2016-08-03: ABB creates "ABB Issuing CA 9" and "ABB Issuing CA 8"
- 2016-09-07: A fourth intermediate, with the Subject "CN = ABB Intermediate CA 5, O = ABB, DC = ABB, DC = COM" is created
- As best I can tell, this certificate, with serial 0d711c842fe9d67e9dcc22a21cb65cdf, is not disclosed via CT.
- This certificate had leading dots in name constraints, with nameConstraints not marked critical.
- 2016-11-15: A fifth intermediate, with the name, is created
- This is serial 0704af9b01e020849378ce2e5fc154ca, https://crt.sh/?id=78290245
- 2018-03-16: CA is notified of problem
- 2018-03-19: ABB ceases issuing certificates
- 2019-03-XX: The majority of TLS server certificates under CA 9 are expected to be replaced
- 2019-03-XX: The first of 165 email certificates under CA 8 begin to expire
- 2019-05-XX: The first of 502 TLS certificates under CA 9 begin to expire
- 2020-10-19: The last of the certificates under CA8 and CA9 expire
There are, I think, new questions from this:
- Where are the copies of CA5, versions 1-4? Have I missed their disclosure/existence?
- The EKUs for CA5, version 5, is https://crt.sh/?id=78290245, and contains "TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, 1.3.6.1.4.1.311.21.5, OCSP Signing". Notably, this does not contain the EKU "1.3.6.1.5.5.7.3.3", aka id-kp-codeSigning, which is relevant for Java platforms.
a) Could you explain to me the basis and relevance for the concerns about Java Code Signing intermediates beneath CA5?
b) Have these issuing intermediates (presumably, not CA8 or CA9) been disclosed in some fashion? - What are the revised timelines, given the statement that the majority will be replaced by March? Have these 502 TLS certificates been disclosed?
- The root cause analysis only focuses on DigiCert's issuance of CA5; it does not cover ABB's (mis)issuance of CA8 and CA9. Given that CA8 and CA9 are the result of misuse of CA5, it's important to understand what controls exist, failed, and changed around CA5, CA8, and CA9 that justify the risk of non-revocation.
Comment 13•6 years ago
|
||
Brenda: Do you have updates?
Assignee | ||
Comment 14•6 years ago
|
||
referenced in Jan 14th response to Ryan Sleevi
Assignee | ||
Comment 15•6 years ago
|
||
Submitted as part of January 14 response (2A) to Ryan Sleevi
Assignee | ||
Comment 16•6 years ago
|
||
Hi Ryan, Here's the updates:
- Please find attached contained in the zip file. These were no disclosed (via CCADB) as they are technically constrained.
2 a) CA5 is not relevant for Java Code Signing. It is relevant for CA4. Please see diagram attached from ABB that visually represents this.
2 b) They have not been disclosed on CCADB as they are technically constrained
- We are awaiting a response from ABB on this timeline.
4)ABB's misuse of CA5 relates to the renewal in 2016 that carried forward an existing domain component naming scheme predating the BR country code mandate. For CA8 and CA9, ABB didn't know that key usage needs to be critical or that country code was required.
DigiCert failed to correct the naming of CA5 in 2016 and we did not adequately advise ABB on the content requirements of their issuing CA’s. ABB's CA5 adequately informs relying parties of their identity. The same can be said for parties who rely on CA8 and CA9. While country code is required and is useful information and ABB does have a headquarters location, they operate globally and the relevance of country code to a relying party is minimal.
Comment 17•6 years ago
|
||
Thanks for clarifying, Brenda.
I'm not sure, but it sounds like ABB CA 4 is out of scope. Among other things, I'm showing that it's already revoked - https://crt.sh/?id=881434380 , and that quick read is that it would also have counted as not capable of causing TLS issuance and thus out of scope. So I'm not sure I understand the concerns from Comment #11 regarding revoking CA5 / CA8 / CA9.
Regarding the ABB root cause analysis, I'm not sure that really helps much. Subordinate CAs, technically constrained or otherwise, are expected to adhere to the BRs, and that both the issuing CA and supervising CA (if distinct) have controls in place to ensure this. Regardless of the views of the importance of naming, I think there is a concern in which BRs weren't followed by ABB, and understanding why that happened and the steps to mitigating that are important. I think this is even more important if the BR-specified revocation is not being followed, in order to understand how the demonstrated risk is being addressed, mitigated, and in the future, prevented.
Updated•6 years ago
|
Comment 18•6 years ago
|
||
Any updates, particularly on how Java factors in to these delays?
Updated•6 years ago
|
Updated•6 years ago
|
Assignee | ||
Comment 19•6 years ago
|
||
Thanks, Ryan, it’s correct that CA4 and the ECC CA1 intermediate and issuer are not related to CA5, CA8, and CA9. There is no Java influence on these three CAs. We brought these into this discussion because ABB raised concerns that we shared with Oracle and that affected the speed of our responses here.
ABB will be ready to revoke CA9 by replacing all email certificates by the end of March. Revoking CA5 and CA8 requires that all clients trust the new server chain. The clients involve a mix of easily adaptable browsers and field-deployed non-browsers installed in equipment that is owned by ABB’s customers. The latter requires customer/vendor coordination, testing, and often physical deployment with tedious logistics after devices are fielded. ABB provides power distribution and other civil infrastructure services. This is what revocation breaks.
We understand our RCA is lacking risk mitigation and prevention. We agree that the primary risk is failed adherence to the BRs. We currently follow a documented CA review and creation process that examines the request before it is signed and examines the result before it is released. When the version of CA5 created before the BRs came up for renewal, we failed to fix the domain component naming in part because we were not subjecting CA signing requests to the current compliance team review process established in December 2017. Less people were examining requests than now, even though one person should be enough to have caught this problem.
Because we didn’t change CA5’s DC naming (or dot-prefix constraints), which would have required a conversation with ABB and reconfiguration of their ADCS-based PKI, we didn’t communicate the need to use country code rather than domain components in CA8 and CA9. ABB would have needed to stand up a duplicate ADCS PKI for the country code naming, manage both concurrently, and migrate users to the newer PKI. This didn’t happen because we didn’t stop the renewal of CA5 with domain component naming.
Like we confessed above, when we put dot prefixes on the dNSName constraints, we thought we were doing name constraints right.
The risk we present at a high level is BR violation, and we took steps to address that before this incident was reported. At a low level, we have a misleading representation of ABB’s identity that doesn’t include their country, and we have unneeded name constraints. We feel that relying parties are not confused by the DC naming in these three CAs. We feel that including the dot-prefix constraints does not alter the base domains and FQDNs that are enabled by CA5. But those aren’t the risks. The risk is tolerance of BR violation, a mantra of brushing these matters aside.
We feel this is a managed risk given the openness of our disclosures and willingness to engage. We ask Mozilla to allow ABB to solve the TLS server issuing CA problem in coordination with their customers. We acknowledge that this is a BR violation. We know that the limited browser-using relying party impact doesn’t matter. That isn’t the only relying party for this PKI, though, it’s also the people who want their streetlights on.
We propose to follow up in early April with the CA9 revocation and a status on remaining certificates relying on CA8.
Updated•6 years ago
|
Comment 20•6 years ago
|
||
ABB revoked CA9 today and they report 192 of 492 certificates under CA8 are replaced. We have requested a monthly update until the remaining 300 are resolved and CA8 and CA5 are revoked.
Updated•6 years ago
|
Comment 21•5 years ago
|
||
Brenda / Steve: It's been two months with no updates. Where do things stand?
Comment 22•5 years ago
|
||
Thanks for the reminder. We asked ABB to provide monthly updates, we'll contact them now.
Comment 23•5 years ago
|
||
248 remaining.
Comment 24•5 years ago
|
||
Note https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed notes weekly updates.
This is concerning on the slow progress on CA8, which as noted in Comment #3, refers to TLS issuance. From Comment #12, the original timeline was 2019-03, and Comment #13 modified this to 2019-04. In the intervening time between Comment #20 and Comment #23, a period of 2.5 months, a total of 52 certificates were revoked.
Comment #19 attempts to explain the challenges, but this doesn't really clarify the lack of progress here, or whether the expectation is that these will continue until they naturally expire.
I'm pushing to Wayne for a further analysis of this, to make sure I've not missed any explanations. I haven't really seen any discussion about how issues like this, systemically, will be prevented in the future. Comment #19 explains several challenges, but no mitigations seem in place to prevent further delays in revocation.
Updated•5 years ago
|
Comment 25•5 years ago
|
||
ABB reports a troubling 31 certificates revoked, leaving 217 remaining. They were impacted by parental leave of a lead person in the PKI team. In their comments, they stated that they are frustrated with the lack of progress as we are and they have now set an aggressive goal to reach 80% completion (based on the initial 492 certs) by 9 August 2019 which would revoke 119 certificates within the coming month, leaving 98 valid at the milestone.
We ask that ABB are allowed to demonstrate this commitment before other actions are considered.
Comment 26•5 years ago
|
||
Wayne: I recommend this CA be moved to OneCRL. A lack of meaningful progress since 2018-04, and no concrete deadline for revocation, combined with the overall handling of this incident, have lead me to a vote of No Confidence in ABB. Every opportunity has been given here.
I want to draw special attention to Comment #10, as this also concerns DigiCert's management of Sub-CAs.
Comment 27•5 years ago
|
||
I created bug 1566162 to document the subordinate CA oversight failure and remediation as a separate issue.
Steve: will ABB commit to, and/or will DigiCert specify a date by which this CA will be revoked?
Comment 28•5 years ago
|
||
If you recommend a target, I am certain that the new management of the PKI would appreciate the opportunity to comply. We are prepared to take action as required. We would like to see what is accomplished as of 9 August given their commitment to step up the pace.
Comment 29•5 years ago
|
||
We will come up with a date today and post it.
Comment 30•5 years ago
|
||
We are currently proposing Aug 30th as the deadline, but are waiting to hear back from ABB. The original proposal was Oct 2020 so this will be a pretty significant acceleration. Will post a firm accelerated timeline when they respond in the morning. We were currently expecting end of they year but will convey that needs acceleration.
Comment 31•5 years ago
|
||
We are still on track to revoke on August 30th and are tracking progress.
Assignee | ||
Comment 32•5 years ago
|
||
Update: We are on track with revoking on 30-August.
Comment 33•5 years ago
|
||
Still just waiting for Aug 30. That should be our next update.
Assignee | ||
Comment 34•5 years ago
|
||
ABB CA 5 has been revoked. https://crt.sh/?id=78290245. I've also posted an update also on this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1566162
Comment 35•5 years ago
|
||
(In reply to Ryan Sleevi from comment #17)
I do not see CA4 as being revoked.
Comment 36•5 years ago
|
||
That CA4 cert is constrained to code signing only and out of scope of the Mozilla policy. It's shut down is being worked out with Microsoft.
Comment 38•5 years ago
|
||
It appears that all questions have been answered and remediation is complete.
Updated•2 years ago
|
Updated•2 years ago
|
Description
•