Closed Bug 1520876 Opened 8 months ago Closed 7 months ago

Entrust: Late mis-issue certificate revocation

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bruce.morton, Assigned: bruce.morton)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce:

Miss-issued certificate per https://bugzilla.mozilla.org/show_bug.cgi?id=1512018 was not revoked within the 5 day deadline.

Actual results:

Deadline was not defined properly.

Expected results:

Miss-issued certificate should have been revoked within 5 days of miss-issuance notification.

  1. How your CA first became aware of the problem

Entrust Datacard revoked a certificate after the 5 day deadline and noticed the issue when documenting the revoked certificate's mis-issuance report.

  1. A timeline of the actions your CA took in response

(All times are UTC)
November 19, 2018 11:54 – Certificate issued
November 20, 2018 17:37- Miss-issuance detected
November 20, 2018 17:37 - Investigation started
November 20, 2018 - Process was changed
November 21, 2018 17:19 - Verification team advised of the process issue
November 26, 2018 1:56 - Miss-issued certificate revoked

  1. Confirmation that your CA has stopped issuing TLS/SSL certificates with the problem

Entrust Datacard has updated the process to define a starting time and a revocation deadline.

  1. A summary of the problematic certificates

Only one certificate is the subject of this report, see section 5.

  1. The complete certificate data for the problematic certificates

Here is the list of miss-issued certificates:
https://crt.sh/?id=958918578

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The revocation deadline was defined improperly. The Subscriber of the certificate was notified and offered change or refund to the certificate. The certificate was revoked after the response from the Subscriber, which was after the 5 day deadline.

  1. List of steps your CA is taking to resolve the situation

At the time that a miss-issuance has been determined, a revocation deadline will be set. The deadline will be based on the time of notification and not the time the investigation is complete. A 24 hour alarm will be set in our Support system with a notice to a distribution list. Managers on the distribution list will ensure that the certificate gets revoked before the deadline.

Assignee: wthayer → bruce.morton
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: Late mis-issue certificate revocation → Entrust: Late mis-issue certificate revocation
Whiteboard: [ca-compliance]

The deadline will be based on the time of notification and not the time the investigation is complete.

Is this compatible with the Baseline Requirements? It does not appear to be, in that the notification may take some non-zero time after the CA has been made aware of facts requiring revocation. 4.9.1.1 is based on making a determination, which shall be completed within a bounded time after a report.

Flags: needinfo?(bruce.morton)

(In reply to Ryan Sleevi from comment #2)

The deadline will be based on the time of notification and not the time the investigation is complete.

Is this compatible with the Baseline Requirements? It does not appear to be, in that the notification may take some non-zero time after the CA has been made aware of facts requiring revocation. 4.9.1.1 is based on making a determination, which shall be completed within a bounded time after a report.

You are correct as BR 4.9.1.1 states "The CA obtains evidence that the Certificate was misused." So the 5 days may start as late as this time.

Flags: needinfo?(bruce.morton)

It appears that remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.