1542082 - IdenTrust: Failure to disclose Unconstrained intermediate Within 7 Days

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[IdenTrust]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36

Steps to reproduce:

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
   IdenTrust: on 3/28/19, prompted by post from Mozilla, we realized that we had not disclosed an Intermediate CA certificate that was issued on 2/28/19 within a week of certificate creation as required by Section 5.3.2 of the Mozilla Policy.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
   IdenTrust: On 3/27/19 we attempted to replace a previously disclosed non-ssl issuing CA in the CCADB with a replacement certificate instance. The original Intermediate CA certificate was created on 10/12/2018 and disclosed on 10/16/2018. A replacement certificate for the same Intermediate CA was created on 02/28/2019 and disclosed on 3/27/2019. However, the disclosure of the replacement certificate resulted in de-listing of the original Intermediate CA certificate from CCADB. This alerted us to the fact that we needed to list both intermediate certificates in CCADB as separate record and that our replacement certificate should have been disclosed within one week of 3/27/19 rather than triggered by actual issuance of end entity certificates.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
   IdenTrust: We have disclosed to CCADB all intermediate certificates that are within scope of Mozilla Policy section 1.1.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
   IdenTrust: One Intermediate CA certificate issued on 2/28/19.

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
   IdenTrust: 1324641183

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
   IdenTrust: Our operational procedures for disclosure to CCADB were triggered on actual issuance of end entity certificates rather than also within 7 days as required by Section 5.3.2 of Mozilla Policy.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
   IdenTrust: Going forward, CCADB disclosure will be included in upfront planning of any new not fully technically constrained Intermediate CA generation with an exact target date for disclosure settled prior to Intermediate CA generation. Through procedural controls, the CCADB disclosure date will not be past the earlier date between 7 days from Intermediate CA generation or date of first end-entity certificate issuance.

Actual results:

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:kwilson, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 2

[Firefox Bug Husbandry Bot]

Correcting bug type to task.

Comment 3

[Wayne Thayer]

It appears that all questions have been answered and remediation is complete.