1497703 - SECOM: Undisclosed intermediate certificates

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Wayne Thayer]

SECOM failed to disclose the following intermediate certificates within one week of issuance as required by Mozilla policy section 5.3.2:

https://crt.sh/?sha256=38b26cf45c932ea28019d93e440ac72bae83f9cbf52d6ad913698b18fcc8717d&opt=mozilladisclosure
https://crt.sh/?sha256=2b30d5e912906358c9ad6fb57fd7b368a01a78e395b4ec11645c5b98a0967de8&opt=mozilladisclosure

Please provide an incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report Please also post the report to the mozilla.dev.security.policy forum.

Comment 1

[Hisashi Kamo]

Dear Wayne-san, 

Thank you for the notice.

Because of our misrecognition we failed to disclose.
Now, we disclosed for those certificates.

Best regards,
Hisashi Kamo

Comment 2

[Wayne Thayer]

Dear Kamo-san: Thank you for your disclosure. Please provide an incident report explaining why this happened and how SECOM will prevent it from happening again.

Comment 3

[Hisashi Kamo]

Dear Wayne-san,

1.How your CA first became aware of the problem 
We first became aware by the email of this bugzilla at 7:45 on October 10, 2018.
2. A timeline of the actions your CA took in response.
<7:45 on October 10, 2018> We got the email of this bugzilla.
<10:17 on October 10, 2018>  We disclosed on CCADB.
3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.
Non applicable. We carefully checked about this and immediately disclosed on CCADB.
4. A summary of the problematic certificates.
Non applicable.
5. The complete certificate data for the problematic certificates. 
Non applicable.
6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Because of our misrecognition we failed to disclose.
When registering CCADB for the certificate with code signing in August, we got a message saying registration was unnecessary, 
and then we mixed up for the registration for these certificates on this case were also unnecessary.
7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future
We described the CCADB disclosing procedure for the manual of the key ceremony. In addition, we provided education to operational staff so that there is no misrecognition like this.

Thank you for your consideration.

Best regards,
Hisashi Kamo

Comment 4

[Wayne Thayer]

Dear Kamo-san,

Thank you for this incident report. I do not understand what you mean by "misrecognition". Will you please explain what caused this in more detail?

I understand that you have now added CCADB disclosure to your standard key ceremony procedure documentation - is that correct?

Also, please be aware that you can double-check intermediate disclosures using crt.sh: https://crt.sh/mozilla-disclosures#undisclosed

Comment 5

[Hisashi Kamo]

Dear Wayne-san,

> I do not understand what you mean by "misrecognition". Will you please explain what caused this in more detail?

When we tried to disclose another certificate with EKU before, we got the message that "This certificate is considered to be technically-constrained as per Mozilla policy, so it does not need to be added to the CA Community in Salesforce." 

We misunderstood the message that disclosure was not necessary for those certificates you pointed out although this message content did not apply.

> I understand that you have now added CCADB disclosure to your standard key ceremony procedure documentation - is that correct?

Yes, it is correct.

Best regards,
Hisashi Kamo