Closed Bug 1485413 Opened 6 years ago Closed 5 years ago

Certigna: Issuance without respecting CAA records

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wthayer, Assigned: j.allemandou)

Details

(Whiteboard: [ca-compliance] [ov-misissuance]) 

BR section 3.2.2.8 requires CAs to respect RFC 6844 CAA records when issuing certificates. Certigna's current CPS states:

If the request is valid and allows to obtain with accuracy the authorization to issue the certificate by a legal representative of the entity which is owner of the domain names, the CA authorizes itself to issue the certificate even if the CA is not present in the list of authorized CA.

Certigna confirmed that they were not adhering to the BRs in an email [1] regarding the root inclusion request, stating:

Indeed, we were operating up to now a control with an alert and a notification to the applicant (pointing on this page https://www.certigna.fr/dns-caa.xhtml) to add us in the field CAA if that It is present, but it was not blocking for the request because we considered that having a signed authorization of the legal representative was sufficient even if the applicant not having updated the CAA registration.

I am requesting that Certigna identify and remediate all certificates that have been misissued based on this invalid interpretation of the BRs.

Please provide an incident report for this problem, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
The incident report should be posted to the mozilla.dev.security.policy forum and added to this bug.
We confirm that no, this is not the case. This is what we said in the CP / CPS because we thought that these constraints could be regularly encountered and that it could be bad for the business, but as I said in our answer, the controls to report the blocking cases were positioned since the beginning of the application of the requirements about CAA records, but we have failed to update the documents.

Requests are processed not only automatically but also involving human validation by our Registration Authority and in particular, our Registration Officiers are systematically warned in case of alert on a CAA record. We confirm to you, despite what has not been updated in the CP / CPS that we block request well in accordance with the requirements expressed.

We wanted to wait for your feedback on the other points before updating our CP / CPS, but we can update them before the end of the week if necessary.

We hope that it meets yours expectation and remain at your disposal for further information.  

Best regards
And just to clarify, when we specified this in the CP / CPS, we thought that the document signed by a legal representative at the time of the certificate request could be sufficient in terms of consent, and that despite our requests, the applicant have not wished to update their CAA registration in addition to providing the document. So that's what was specified in the CP / CPS but we still set up the controls and monitor these points since to block the applications concerned. We only failed to regularize the point in the CP / CPS. 

We hope that it meets yours expectation and remain at your disposal for further information.   

Best regards
Incident report about the issue of one certificate without DNS CAA authorization.
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/mVD1QoGXBOQ
Questions were answered in the mozilla.dev.security.policy thread referenced in comment #4.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.