Closed Bug 1545208 Opened 6 months ago Closed Last month

Sectigo: Missing Changelog in CPS

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wayne, Assigned: Robin.Alden)

References

(Blocks 1 open bug)

Details

(Whiteboard: [ca-compliance])

The current version of Sectigo's CPS [1] has no apparent changelog as required by Mozilla Root Store Policy section 3.3

[1] https://sectigo.com/uploads/files/Sectigo-CPS-v5.0.pdf

If a changelog that meets Mozilla's requirements does exist, please explain how to find it. If not, Then please provide an incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report

Robin, another Sectigo incident that has gone unresponded to for a long period of time.

Flags: needinfo?(Robin.Alden)
Blocks: 1563579
  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

We first became aware of the problem by the creation of this bug #1545208 at 2019-04-17 19:08:13 UTC and its assignment to Robin Alden.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2019-04-17 Wayne created this bug.
2019-04-23 In internal discussion we realized that the compliancy team had missed the introduction of the requirement for a dated changelog entry when Mozilla’s policy version 2.5 was introduced.
2019-04-23 We created CPS v5.1.1 as an internal document, including a changelog reaching back to version 5.0. The Certificate Policy Authority approved this version for publication.
2019-04-24 CPS v5.1.1 was published as the current version in our repository.
2019-05-06 CPS v5.1.2 was approved and published. It updated the changelog.
Our previous CPS documents remain available at https://sectigo.com/certificate-practice-statement-archive

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

We issued a new CPS version which incorporated a change-log going back to the last major revision. We now maintain that change-log for each CPS update going forward.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

We should have added a change-log to each CPS issued since Mozilla Policy 2.5 came into effect on 2017-06-23, which means that the following CPS revisions were deficient in this regard:
https://sectigo.com/uploads/files/Comodo_CA_CPS_4.1.7.pdf
https://sectigo.com/uploads/files/Comodo-CA-CPS-4-1-8.pdf
https://sectigo.com/uploads/files/Comodo-CA-CPS-4-1-9.pdf
https://sectigo.com/uploads/files/Comodo-CA-CPS-4-2.pdf
https://sectigo.com/uploads/files/Sectigo-CPS-v5.0.pdf
https://sectigo.com/uploads/files/Sectigo-CPS-v5.1.pdf

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

  2. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

This omission is dismaying for us, because in https://bugzilla.mozilla.org/show_bug.cgi?id=1518553#c3, on 2019-01-09, we said:
“We previously had an informal process to review Mozilla CA Policy changes.
We have our internal audit team now hooked into monitoring and tracking Mozilla Policy changes.
We are making a new review of our compliance with each item of Mozilla policy, reviewing both current issuance and historic certificate issuance to ensure compliance”

The problem appears to be that we did not then reach back to analyse Mozilla Policy changes that had happened since 2.4.

In https://bugzilla.mozilla.org/show_bug.cgi?id=1518553#c7, on 2019-02-21, we said:
“After a review of our compliance with Mozilla policy we find that although we are substantially in compliance, in addition to the issue identified by the OP where we permitted p521 subscriber keys we have also identified that we had not restricted RSA subscriber keys to have moduli divisible by 8.”

The reviewer of our compliance with Mozilla policy used Mozilla’s own self assessment spreadsheet, which was good, but regrettably the version of the self assessment spreadsheet used was from 2018 and did not include a checklist item concerning the CPS changelog.

We see that the latest version of the self assessment spreadsheet does include this checklist item.

We realize that the responsibility to check our compliance with Mozilla’s policy is ours and that reliance on a possibly outdated self assessment spreadsheet is not a justification for failing to comply with the policy as written.

We have a fresh compliance review in progress.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

We have reviewed the checklist that we use for Mozilla policy compliance review and added additional items and/or comments where needed.

We are repeating our review of compliance with Mozilla policy. We anticipate having the result of that review by 19th July.

We apologize for our delayed response to this bug. We will address that delay in our response to bug 1563579 (Sectigo: Failure to provide timely incident reports)

Whiteboard: [ca-compliance] → [ca-compliance] - Next Update - 20-July 2019

I do not yet have confirmation that the compliance review was completed, although I think it was. I will confirm here either way early next week.

The compliance review was completed on 2019-07-17.
We find our practice to be compliant with Mozilla's policy, but we identified some areas where we do not state in our CPS the measures we take to be compliant.
E.g. Mozilla's policy's restrictions on key sizes and algorithms used by subscriber keys, of which we fell foul in bug#1518553, the practice was corrected but the CPS does not mention these restrictions.
We are preparing a further CPS revision, that will naturally include a changelog entry, which will further expand on stating our practice.

Flags: needinfo?(Robin.Alden)
Whiteboard: [ca-compliance] - Next Update - 20-July 2019 → [ca-compliance]

We anticipate having the CPS update live in the next couple of days.

Flags: needinfo?(Robin.Alden)

Robin: has the CPS been updated? Please provide a link.

The CPS revision went live on our website on 15th August.
https://sectigo.com/uploads/files/Sectigo-CPS-v5.1.4.pdf

Flags: needinfo?(Robin.Alden)

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: Last month
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.