Entrust: Late mis-issue certificate revocation
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: bruce.morton, Assigned: bruce.morton)
Details
(Whiteboard: [ca-compliance] [leaf-revocation-delay])
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Steps to reproduce:
Miss-issued certificate per https://bugzilla.mozilla.org/show_bug.cgi?id=1512018 was not revoked within the 5 day deadline.
Actual results:
Deadline was not defined properly.
Expected results:
Miss-issued certificate should have been revoked within 5 days of miss-issuance notification.
|
Assignee | |
Comment 1•5 years ago
|
||
- How your CA first became aware of the problem
Entrust Datacard revoked a certificate after the 5 day deadline and noticed the issue when documenting the revoked certificate's mis-issuance report.
- A timeline of the actions your CA took in response
(All times are UTC)
November 19, 2018 11:54 – Certificate issued
November 20, 2018 17:37- Miss-issuance detected
November 20, 2018 17:37 - Investigation started
November 20, 2018 - Process was changed
November 21, 2018 17:19 - Verification team advised of the process issue
November 26, 2018 1:56 - Miss-issued certificate revoked
- Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem
Entrust Datacard has updated the process to define a starting time and a revocation deadline.
- A summary of the problematic certificates
Only one certificate is the subject of this report, see section 5.
- The complete certificate data for the problematic certificates
Here is the list of miss-issued certificates:
https://crt.sh/?id=958918578
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
The revocation deadline was defined improperly. The Subscriber of the certificate was notified and offered change or refund to the certificate. The certificate was revoked after the response from the Subscriber, which was after the 5 day deadline.
- List of steps your CA is taking to resolve the situation
At the time that a miss-issuance has been determined, a revocation deadline will be set. The deadline will be based on the time of notification and not the time the investigation is complete. A 24 hour alarm will be set in our Support system with a notice to a distribution list. Managers on the distribution list will ensure that the certificate gets revoked before the deadline.
|
||
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
The deadline will be based on the time of notification and not the time the investigation is complete.
Is this compatible with the Baseline Requirements? It does not appear to be, in that the notification may take some non-zero time after the CA has been made aware of facts requiring revocation. 4.9.1.1 is based on making a determination, which shall be completed within a bounded time after a report.
|
|
Assignee | |
Comment 3•5 years ago
|
||
(In reply to Ryan Sleevi from comment #2)
The deadline will be based on the time of notification and not the time the investigation is complete.
Is this compatible with the Baseline Requirements? It does not appear to be, in that the notification may take some non-zero time after the CA has been made aware of facts requiring revocation. 4.9.1.1 is based on making a determination, which shall be completed within a bounded time after a report.
You are correct as BR 4.9.1.1 states "The CA obtains evidence that the Certificate was misused." So the 5 days may start as late as this time.
|
|
||
Comment 4•5 years ago
|
||
It appears that remediation is complete.
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•