Closed Bug 1524816 Opened 5 years ago Closed 5 years ago

SECOM: failure to revoke underscores

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jonathan, Assigned: h-kamo)

Details

(Whiteboard: [ca-compliance] [leaf-revocation-delay])

SECOM failed to revoke the following certificates containing dnsNames with underscores that were required to be revoked by 2019-01-15 (CABF ballot SC12). I notified them via an email to their problem reporting address at 2019-01-29 18:15 UTC and received confirmation that they were revoked the same day.

https://crt.sh/?opt=zlint&id=732796686
https://crt.sh/?opt=zlint&id=732796682
https://crt.sh/?opt=zlint&id=738541471
https://crt.sh/?opt=zlint&id=738541494
https://crt.sh/?opt=zlint&id=738541563
https://crt.sh/?opt=zlint&id=738541551

Kamo-san: Please provide an incident report, as per https://wiki.mozilla.org/CA/Responding_To_An_Incident

If SECOM intentionally delayed revocation, please include an explanation for why this wasn't disclosed prior to Jan 15 as discussed on the mozilla.dev.security.policy list.

Assignee: wthayer → h-kamo
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(h-kamo)
Whiteboard: [ca-compliance]

Wayne-san,

We are currently preparing an incident report and post it next week.
Thank you for your consideration.

Best regards,
Hisashi Kamo

Flags: needinfo?(h-kamo)

Wayne-san,

Here is our incident report.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

We received an email notice from Mr. Jonathan Rudenberg at 3:16 AM on January 30, 2019.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2018/9/10 Issued two certificates.
2018/9/12 Issued four certificates.
2018/10/3 Issued one certificate.
2019/01/30 Received the notice email.
2019/01/30 Revoked seven certificates.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

These seven certificates have been revoked on the day of the notice.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

We issued certificates that specified DNS name including an underscore.
We received the email notice from Mr. Jonathan Rudenberg, and the certificates have been revoked on the same day of the notice.
https://crt.sh/?opt=zlint&id=732796686
https://crt.sh/?opt=zlint&id=732796682
https://crt.sh/?opt=zlint&id=738541471
https://crt.sh/?opt=zlint&id=738541494
https://crt.sh/?opt=zlint&id=738541563
https://crt.sh/?opt=zlint&id=738541551

In addition to that, another certificate was found by our inspection on the same day, so that this certificate have been revoked on the same day.

-----BEGIN CERTIFICATE-----
MIIGwjCCBaqgAwIBAgIIGZrTNNFuKvkwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UE
BhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJTAj
BgNVBAMTHFNFQ09NIFBhc3Nwb3J0IGZvciBXZWIgTUggQ0EwHhcNMTgxMDAzMDQz
NTI0WhcNMTgxMTAzMDQ0NTIyWjCB2zELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRv
a3lvMQ8wDQYDVQQHEwZNaXRha2ExJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3Rl
bXMgQ08uLExURC4xETAPBgNVBAsTCHRlc3RPVTA1MREwDwYDVQQLEwh0ZXN0T1Uw
NDERMA8GA1UECxMIdGVzdE9VMDMxETAPBgNVBAsTCHRlc3RPVTAyMREwDwYDVQQL
Ewh0ZXN0T1UwMTElMCMGA1UEAwwcTUhfU1RTdGVzdDAwMS5zZWNvbXRydXN0Lm5l
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANF7/M3CC00ohEAwkTnA
0EvnV/bMtlzHhZqYOJoDGy1opFEQNl3yVjYW5Z9iHVll8ULqvlItVbDlB3xNzKzQ
iB9I45zR/aTipi5MBViNg/olje/zFoDcYfB08zhSTZdpRpORgPdckHT3+sG9ZCUv
NLppLzQXnZc5Gs2uWq1gl9PtaCLvcgeWdGacwE8LoqHherqyPw4E8tpWYse5Tv6o
rjcjDF4QCDDmEi7qsYUv8Zs84uFsTq4LuwiY9dPJZ07eKA+5nHBo4KjLvomZR5CJ
JbfikHXCaD/8OE7XHVsVNLyKKom7S9MKVd+axf0k5c7q8W+0+Ig/TZ308XeYjF4m
56cCAwEAAaOCAwcwggMDMB8GA1UdIwQYMBaAFDOV/bFy8eZQMi1ZUvunWvEFAckK
MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDovL21oMi5vY3NwLnNl
Y29tdHJ1c3QubmV0MCcGA1UdEQQgMB6CHE1IX1NUU3Rlc3QwMDEuc2Vjb210cnVz
dC5uZXQwYAYDVR0gBFkwVzBLBgoqgwiMmxtkgn0HMD0wOwYIKwYBBQUHAgEWL2h0
dHBzOi8vcmVwbzEuc2Vjb210cnVzdC5uZXQvc3BjcHAvcGZ3L3Bmd21oY2EvMAgG
BmeBDAECAjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSwYDVR0fBEQw
QjBAoD6gPIY6aHR0cDovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3BwL3Bmdy9w
ZndtaGNhL2Z1bGxjcmwyLmNybDAdBgNVHQ4EFgQU45auSrjXn2l+u79wMsyqXo7I
dm8wDgYDVR0PAQH/BAQDAgWgMIIBfAYKKwYBBAHWeQIEAgSCAWwEggFoAWYAdQCk
uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWY4PrW0AAAEAwBGMEQC
IB+aEo2ZUfu+pihHxw8Bd6udshI0xCpVbpg741Qu/qzoAiA3CwrPoEsD3zLiFk42
cMvDmhC96mxtG/LPT9zM1csm8AB2AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDE
e4l6qP3LAAABZjg+vV0AAAQDAEcwRQIhAKJgUa9u8OoMRGykinN0E33JUL+gUxpn
1DceGxdk9ND7AiAfvW69lqsOqY0JzT1lqtJRq4uDtOPqfA9krTTZuhxNKAB1AG9T
dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABZjg+wJIAAAQDAEYwRAIg
Bglw7Lz6O5gFXDz+3W+nw6ToEhjP1B6/+l6ADEudGusCICMmbi5woJYNOEzDSaX/
l/kyAq8O5/WI2aRVNu6E7PwwMA0GCSqGSIb3DQEBCwUAA4IBAQBX/+MnEofvyF6o
qkNxASoV+3xrvUGz2uQtKR6eqUncXEDgWMn0KXlQOhURDiPS5AIDbOVUMAYXFYcE
/jizjQaZwYw5ONXQY+BjZLIACuA6L9D6K3IHZ7B0G/WdZLY8TA4qyJxYoNSUISQs
pQsZzMcCPDYkM45gKRvWMICZik9AS7BclB6FKXLoO+XNhM0gS1Q5RHqdWZNFh9gN
irXLHqburxbtnPFoOlNp8eOCu01UwyyEwID8T+NFhsSN8oc1fxHLQX8DD/5pA/Sb
oqwnUynynY4NaJTcSiIP0pgUXqMuPu8S2j6kDHEREP7LeWaKzcJKUCnelWPRcRHA
nF54oytK
-----END CERTIFICATE-----

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

Described at #4.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

When setting change of the CA software (CA product) that we conducted in the past, the operator in charge has unintentionally set an incorrect value in the certificate for issuing check of the certificate profile.
In the task of directly changing the configuration of the CA software, we issued these certificates directly from the CA software.
At that time, we planned to issue certificates under the following conditions.
· Being in our domain (.secomtrust.net etc.)
· Check only in our CA's room
· The operators in charge is carried out by two(2)
In the confirmation process at issuance, it was confirmed that these certificates did not include high risk domain.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

Permanent action
(1) Enhancement of the review process
New Check items were added to the check sheet of the review point, and the measures were taken to prevent for the certificate information issued when we conduct the task of directly changing the configuration of the CA software.
(2) Enhance operation confirmation during work
New Check items were added to the check sheet of the operation and measures were taken to prevent for the certificate information issued when we conduct the task of directly changing the configuration of the CA software.
(3) System enhancement
We will introduce a system for checking the checkpoint that the DNS name does not include an underscore and introducing a mechanism to prevent operational mistakes (under execution date planning).

Thank you for your consideration.

Best regards,
Hisashi Kamo

Kamo-san: thank you for providing this incident report.

Was SECOM aware of the 15-January deadline to revoke certificates containing underscore characters? If yes, why weren't these certificates detected? If no, why not?

Flags: needinfo?(h-kamo)

Wayne-san,

Was SECOM aware of the 15-January deadline to revoke certificates containing underscore characters? If yes, why weren't these > certificates detected? If no, why not?

Yes.
We were aware of the 15-January deadline to revoke certificates containing underscore characters.

Our recognition was that we had checked underscore for all issued certificates.
However, certificates for confirmation of CA system configuration were recorded in separate database, thus we were unable to recognize to target another database at the time of investigation.
In regards to conducting this kind of investigation, we notified our administrators to check certificates for confirmation of CA system configuration without leakage from now on.

Best regards,
Hisashi Kamo

Flags: needinfo?(h-kamo)

Kamo-san: thank you for the information in comment #5

We will introduce a system for checking the checkpoint that the DNS name does not include an underscore and introducing a mechanism to prevent operational mistakes (under execution date planning).

When do you expect to have this implemented?

Flags: needinfo?(h-kamo)

Wayne-san,

We have implemented today.

Best regards,
Hisashi Kamo

Flags: needinfo?(h-kamo)

It appears that remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [leaf-revocation-delay]
You need to log in before you can comment on or make changes to this bug.