Closed Bug 1464359 Opened 6 years ago Closed 6 years ago

Firmaprofesional: Undisclosed Intermediate certificate SDS

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: chemalogo, Assigned: wthayer)

References

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Attachments

(2 files)

PSC 2017 0011 BANCO SANTANDER.pdf
191.45 KB, application/pdf
Details
CCADB screenshot
15.56 KB, image/png
Details 
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180517113820

Steps to reproduce:

Look at https://crt.sh/mozilla-disclosures#disclosedbutincrl
or CCADB to seek for disclosed and not disclosed CAs


Actual results:

Despite the affected certificate is disclose, there are no audit reports on this CA. Nevertheless:
- on one hand this CA is about to cease its operations. Communication to the corresponding Spanish Supervisory Body has been sent, and this information was disclose in the CCADB. See attachment
- additionally this CA has an eIDAS report. See attachment
- finally, since the ceasing procedure can take a while,  we will ask for its inclusion in the OneCRL.
Attached image CCADB screenshot 

  

  



    
    

    
  
1) How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

An email from Rob Stradling (Rob@comodoca.com), thanks Rob, on 27 abr. 2018 15:33 (Spanish time)

2) A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

That same day we updated the CCADB indicating that:

"This CA has communicated to the Spanish Supervisory Body (SSB) the end of its operations. It is not issuing certificates at all.

They are going to send to the SSB in the following weeks its termination plan.". 

The plan is still to be sent by the CA.

3) Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We've cut RA operator access. This CA can not issue any certificates any more. 

We've asked for inclusion into OneCRL. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1464362

4) A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

https://crt.sh/?id=408789249

5) The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?id=408789249

6) Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

From our point of view it was not a mistake, since the CA last certificate was issued last July 2017, it is about to cease operations and we have informed about it. We were mistaken and we are now taking additional measures.


7) List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

on 27 abr. 2018 15:33 (Spanish time) we updated the CCADB indicating that:

"This CA has communicated to the Spanish Supervisory Body (SSB) the end of its operations. It is not issuing certificates at all.

They are going to send to the SSB in the following weeks its termination plan.". 

Right now:
We've cut RA operator access. This CA can not issue any certificates any more. 

We've asked for inclusion into OneCRL. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1464362

  

  



    
    

    
  
Based on other similar reports I think the correct component would be NSS:: CA Certificate Mis-Issuance. Please change if this is not the right component.

  

  


Assignee: nobody → wthayer
Component: Untriaged → CA Certificate Mis-Issuance
Product: Firefox → NSS
QA Contact: kwilson
Version: 60 Branch → other

    
  
Depends on: 1464362
Whiteboard: [ca-compliance]

    
  
Blocks: 1455119

    
    

    
  
This CA was revoked last June the 18th.

  

  



    
    

    
  
Confirmed that this certificate has been revoked and added to OneCRL.

  

  


Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED

    
  
Summary: Incident Report: Firmaprofesional: Undisclosed Intermediate certificate SDS → Firmaprofesional: Undisclosed Intermediate certificate SDS
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: