Camerfirma: MULTICERT Misissuance and missing audits
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: wthayer, Assigned: martin_ja)
Details
(Whiteboard: [ca-compliance] [ov-misissuance] [audit-failure])
Attachments
(9 files, 2 obsolete files)
182.29 KB,
application/pdf
|
Details | |
3.15 KB,
text/plain
|
Details | |
352.36 KB,
application/pdf
|
Details | |
495.28 KB,
application/pdf
|
Details | |
499.36 KB,
application/pdf
|
Details | |
859.85 KB,
application/pdf
|
Details | |
688.73 KB,
application/pdf
|
Details | |
241.87 KB,
application/pdf
|
Details | |
242.23 KB,
application/pdf
|
Details |
Assignee | ||
Comment 1•6 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
Comment 3•6 years ago
|
||
Comment 4•6 years ago
|
||
Assignee | ||
Comment 5•6 years ago
|
||
Assignee | ||
Comment 6•6 years ago
|
||
Reporter | ||
Comment 7•6 years ago
|
||
Assignee | ||
Comment 8•6 years ago
|
||
Reporter | ||
Comment 9•6 years ago
|
||
Assignee | ||
Comment 10•6 years ago
|
||
Reporter | ||
Comment 11•6 years ago
|
||
Reporter | ||
Comment 12•6 years ago
|
||
Assignee | ||
Comment 13•6 years ago
|
||
Reporter | ||
Comment 14•6 years ago
|
||
Assignee | ||
Comment 15•6 years ago
|
||
Reporter | ||
Comment 16•6 years ago
|
||
Reporter | ||
Comment 17•6 years ago
|
||
Reporter | ||
Comment 18•6 years ago
|
||
Updated•6 years ago
|
Comment 19•6 years ago
|
||
It's been 3 months without updates. Did I miss a status update?
Comment 20•6 years ago
|
||
We are updating now the CCADB audits for GLOBAL CORPORATE SERVER -the issuer of InfoCert Organization Validation CA 3 and Intesa Sanpaolo Organization Validation CA - comment #12 - according to WebTrust Principles and Criteria for Certification Authorities v2.1
Comment 21•6 years ago
|
||
ETSI 319 411-1
Comment 22•6 years ago
|
||
ETSI 319 411-2
Updated•6 years ago
|
Updated•6 years ago
|
Assignee | ||
Updated•5 years ago
|
Reporter | ||
Comment 23•5 years ago
|
||
I'm very confused by the response in comments 20-22. Those audits do not include the certificates from comment #12 in scope, and they do not cover the full audit period back to Dec 2017. However, it appears that audit reports dating back to Dec 2017 were provided for these two CA certificates in bug #1549861, so this problem has been remediated.
Eusebio: is my explanation correct? What is the purpose of comments 20-22?
Comment 24•5 years ago
|
||
Hi Wayne,
I posted the wrong documents. Now I post the rigth ones.
The Infocert & Intesa auditor considered in the audit held in december 2018 all the certificates issued since the CA has started its activities in September 2017. Indeed in clause 3.3 of the attached report the misissuances occurred in 2017 have been listed too, plus the few occurred in 2018.
We had already opened a bug with the certificates misissued by Infocert
https://bugzilla.mozilla.org/show_bug.cgi?id=1556806
And in the same way with the certificates misissued by Intesa
https://bugzilla.mozilla.org/show_bug.cgi?id=1557085.
So these audit reports considered not only the certificates issued from the stardate of the audit report 7-December-2017 till the enddate 4-December-2018, but the certificates issues since the issuance of the subCA certificates (6-July-2017).
The first certificates issued with these subCAs was:
- 28-September-2017 (InfoCert Organization Validation CA 3)
- 14- September-2017 (Intesa Sanpaolo Organization Validation CA)
Best regards
Comment 25•5 years ago
|
||
Comment 26•5 years ago
|
||
Reporter | ||
Comment 27•5 years ago
|
||
Eusebio: These audits cover the period beginning in December 2017. Please explain how this answers the question I asked in comment #12:
Please explain how these certificates meet the requirements of BR section 8.1
Specifically, did these two subCAs have audits covering the period from September to December 2017?
Comment 28•5 years ago
|
||
Hi Wayne,
As you requested in Comment #16, https://bugzilla.mozilla.org/show_bug.cgi?id=1502957#c16, now I will attach the auditor's new attestation statements.
So we have for both subCAs ( InfoCert Organization Validation CA 3 & Intesa Sanpaolo Organization Validation CA):
- This new attestation statements from the auditors assuring that they checked from the date of issuance of the subCAs (6 - September-2017) to 6-December-2017.
- The standard audits from 7-December-2017.
More specifically,
InfoCert Organization Validation CA 3:
- Audit memo: from 6-July-2017 to 6-December-2017
- Standard audit: from 7-December-2017 to 2-December-2018
Intesa Sanpaolo Organization Validation CA:
- Audit memo: from 6-July-2017 to 6-December-2017
- Standard audit: from 7-December-2017 to 5-December-2018
Comment 29•5 years ago
|
||
Comment 30•5 years ago
|
||
Reporter | ||
Comment 31•5 years ago
|
||
Eusebio: thank you for providing these new documents. Both documents state:
During the audit, minor non-conformities were identified and, as a result:
An assessment was conducted between the issue of the subCA certificates (6-July-2017) until 6-December-2017.
What does this mean? Is the auditor stating that an audit was conducted but no public report or seal was generated due to the minor non-conformities that were identified? What were these non-conformities?
Comment 32•5 years ago
|
||
There existed a gap in the period covered by the reports that we published in the begining (between 6-July-2017 and 6-December-2017), however that period had been audited.
We asked the auditor too an audit memo that states that they’ve audited the period not covered into the reports. You can find the corresponding memos on the links below:
https://bug1502957.bmoattachments.org/attachment.cgi?id=9100429
https://bug1502957.bmoattachments.org/attachment.cgi?id=9100428
Is the auditor stating that an audit was conducted but no public report or seal was generated?
Yes
due to the minor non-conformities that were identified?
No, it was due to the fact that they should issued an attestation statement in July-2018 but they issued it in December-2018.
Related to the non-confomities and problems detected in previous reports, all of them have been solved. You can can find all the information about them on the bugs below:
https://bugzilla.mozilla.org/show_bug.cgi?id=1556806
https://bugzilla.mozilla.org/show_bug.cgi?id=1557085
Best regards
Comment 33•5 years ago
|
||
Wayne, Kathleen: I'm still a bit confused on the attachments Comment #32, and I'm not sure what the most productive next steps would be. One path is to say that if we're not able to make sense of it, we're not able to accept it, since the audits exist to benefit "us". Another option would be to give the CA the benefit of the doubt, and try to work out with the auditor what happened, but I'm fundamentally worried that does not scale and would not be something we reasonably could or should extend to all CAs.
I'd love to get your perspective here on next steps.
Reporter | ||
Comment 34•5 years ago
|
||
I am also confused by this statement:
No, it was due to the fact that they should issued an attestation statement in July-2018 but they issued it in December-2018.
It does seem to be clear that the InfoCert Organization Validation CA 3 & Intesa Sanpaolo Organization Validation CA have audit gaps that violate the BRs and Mozilla policy. I believe the only way to remediate the problem is to revoke these two CA certificates. Therefore the next steps I would propose are:
- Ask Camerfirma again if they can clearly explain why these certificates are compliant, and if they cannot, ask Camerfirma if they plan to revoke them (and if so, by when).
- If Camerfirma chooses not to revoke them, consider adding them to OneCRL.
Comment 35•5 years ago
|
||
Hi all,
We do not think the revocation or addition to OneCRL are needed in this case because the period between July 7 and December 6 was covered by additional memos wherein the auditors assured that they checked from the date of issuance of the subCAs (6 - September-2017) to 6-December-2017 for both CAs so we think they did not violate the BRs and Mozilla policy
As you can see, we provided information about it in comment 28: https://bugzilla.mozilla.org/show_bug.cgi?id=1502957#c28
Maybe we were not clear enough with the explanation we gave in the past, so we want to clarify the situation.
In that comment we asumed that there existed a gap between the date of creation and December 2017 for the intermediate CAs InfoCert Organization Validation CA 3 and Intesa Sanpaolo Organization Validation CA.
To solve the situation we asked the auditor for an Audit memo to cover that period and we uploaded the memos in the comments 29 and 30
https://bug1502957.bmoattachments.org/attachment.cgi?id=9100428
https://bug1502957.bmoattachments.org/attachment.cgi?id=9100429
In comment 32 we also provided the explanations about those reports in response to your questions https://bugzilla.mozilla.org/show_bug.cgi?id=1502957#c32
Related to the non-conformities that appear in the memos that cover the period between July 7 and December 6, the results of the reviews were the following:
- Infocert: Some minor non-conformities were detected in the period between July 7 and December 6. They were solved during the audit period. All the details about the non-conformities and their remediation appear in section 1.3. of the report.
- Intesa San Paolo: Some minor non-conformities were detected in the period between July 7 and December 6. They were solved during the audit period. All the details about the non-conformities and their remediation appear in section 3.3. of the report.
As you can see, no non-conformities continued open after the end of the audit period.
Please let us know if you need more information.
Comment 36•5 years ago
|
||
Clearing my needinfo, so I will stop receiving daily email about this bug. Wayne is looking into this further.
Updated•5 years ago
|
Reporter | ||
Comment 37•5 years ago
|
||
In summary:
- Camerfirma/MULTICERT misissued 174 certificates with invalid QCStatements
- In researching that issue, it was found that the "MULTICERT SSL Certification Authority 001" was not included in the scope of the MULTICERT audit.
- It was later found that 2 other subCAs were not included in audit statements (comment #12). There was a 6-month gap in 2017 that is only covered by a memo provided by the auditor. No other remediation is planned.
I'm disappointed by the response in comment #34, but at this point I don't expect to make any further progress. I think it's best to resolve this bug and consider it in the context of all the other Camerfirma issues that have been documented.
Updated•2 years ago
|
Updated•2 years ago
|
Description
•