Closed Bug 1547072 Opened 5 months ago Closed 5 months ago

Certinomis: Use of Domain Validation Method 3.2.2.4.5 after August 1, 2018

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: wayne, Assigned: francois.chassery)

Details

(Whiteboard: [ca-compliance])

In bug 1544933, Certinomis stated that they have been using BR domain validation method 3.2.2.4.5 after the deadline on which it was no longer permitted (August 1, 2018).

Please provide an incident report, as described at https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

May I point out that in January 2018 communication, question 2 Certinomis answered:

We have no valid certificates that were issued using these methods.

"[T]hese methods" being .1 and .5, and "valid" is not expired nor revoked. This may have been true, but could Certinomis supply a list of all certificates issued with either .1 or .5 method, specifically to confirm this answer?

Francois: please provide an incident report as requested.

Flags: needinfo?(francois.chassery)

Franck Leroy posted the following comment to bug 1544933 in regard to this issue:

Hi,

I'm no more part of Certinomis CA, so I write this comment during the weekend on my personnal time.

I think there is a misunderstanding; the validation process described by François is only applicable to French RGS server certificates with "clientAuth" key usage (so not under BR rules).

For PTC (i.e. with "serverAuth" key usage) on 1st August 2018 the only validation methods that shall be applied by RA operators are the well-known phone call process and the email validation to the addresses defined in the BR (webmaster@ admin@...).

Theses two validation methods were manual ones so subject to human errors.
Before I left there was some developpement to allow the applicant to validate the domains before filling any application forms.

This new automated validation feature were to be available by the end of 2018.

I understand that this new feature has been developped and not yet used in production, and that a human validation error has been made by an RA operator confused by the fact that the organisation was "COMMUNE LE CANNET" and by the fact that the applicant made also an error in the CSR containing a '-' instead of a '.' to separate the domain name in the FQDN (mediatheque-lecannet.fr instead of mediatheque.lecannet.fr).

Hope this helps.
Franck

Dear Wayne,

I confirm after checking what Franck wrote, which means I have no certificate to declare under the present Bug 1547072.

By the way, I am on holidays until 14th of may, please apologize my slow answering.

Kind Regards,

François

Flags: needinfo?(francois.chassery)

Francois, is there someone that has been delegated as an alternative point of contact, and can ensure prompt and thorough feedback? While vacations are understandable, ensuring there is a continuity of operations and multiple parties who can provide timely responses is key to maintaining a trusted CA.

I'm concerned that, given the response, it's now unclear how Certinomis actually validates domain, as originally captured in Bug 1544933, and it's equally concerning that representatives themselves are unsure and rely on the good-will of former employees.

Can you please document how Certinomis validates domains, as was originally requested, based on this new understanding? What was the information your auditors/CABs examined in order to form an opinion as to how you validate?

Flags: needinfo?(francois.chassery)

Dear Ryan,

There are two other persons that receives the Bugzilla e-mail and who can contact me on my mobile phone.
In addition, I check my e-mail twice a day during holidays.
This is how we guaranty continuity of activity.

On the current issue, it happened that Franck LEROY answered, quicker than I did, and that he gave an answer that was right.
It does not mean that Certinomis rely on a former employee.
Indeed, you raised a doubt with your comment#8 of bug1544933, I answered that an extensive control will be done and it has been done. So, “after checking” as written in comment#4 of present bug, I am stating that no certificate has been issued following method 3.2.2.4.5
And then, as the previous answer reminded in comment#3 is true, there is no reason for me to deny it, my own answer can only be a confirmation of that previous true answer.

Now, please find below our procedure for domain validation, present and near future:

A - PRESENT:

  1. Creating the request
    A representative of a client connect to our RA Front-Office (login +password)
    At first order he needs to create an access account and describe his company.
    If he has a CSR, he copy and paste it in the GUI, if not direct to next step
    Then he describe the server identity (CN, SAN, state and town) and the identity of the responsible of the server
    Afterwards, payment information.
    At the end, the representative of the client obtain a PDF file that he shall print, sign and send to our RA team (no copy are accepted).
    If it is a server that shall be recognised by French administration (main part of our sales), the representative of the client shall join a proof of incorporation (for a company) or a proof of election of the authority (for a local administration) or a proof of nomination (for a ministry or an agency) and a copy of ID Card or passport of every stakeholder (the legal representative of the organisation and the responsible of the server, as a minimum).

  2. Controlling the request
    First control is on the organisation:

  • For a server for "commercial" purpose we check in the national database "http://avis-situation-sirene.insee.fr/" that the organisation exists
  • For a server recognised by French administration, we check the documentation described above at the end of point 1
    Second control is on server identity:
  • The registration operator search with a "whois" to check that the domain name exist and to find the coordinate to contact the Domain Name Registrant, and to phone him to confirm he authorizes the issuance of a certificate.
  • If the operator cannot find the requested information with "whois" he send an email on the five e-mail address corresponding to the method 4 and wait for an answer for producing the certificate.
  • In addition to this, if the client is not the owner of the domain name, he shall supply us with a written and signed "domain name authorisation"
  1. Specific case: external RA for an organisation
    For some important customer (big company or administration) we may create an Enterprise RA that have a delegation to validate their server certificate. This RA are restricted for the specific domain name owned or controlled by an organisation.
    The certificate that can be validated must be for a domain name or a subdomain of a domain name that has been previously controlled and validated by a Certinomis RA operator, with the same method described in point 2 above.
    The company name O= must be the company to which the external RA operator belongs (every RA operators are identified with a certificate on smart card)
    No domain name can be added by the external RA operator on their own.

B - SOON (planned mid May 2019)

  1. Creating the request
    Before creating a server certificate request, the representative of the client shall "add" the domain name to the account of its company.
    If he does not, the entry of the request will be impossible
    To proceed, he shall click on a specific button "add a domain name" and after enter its domain name.
    The program will then send an e-mail to the five required e-mail address, containing a clickable URL.
    When any of these will be clicked on, the domain name will be registered; the click shall occur within a thirty days period after sending.
    Afterwards the representative of the client can create his certificate request with the same action as he uses to do now.

  2. Controlling the request
    No change with the exception of the sending of e-mail to the contact of the domain name because the completion of this step conditions the possibility of a request as described in point B-1.

  3. Specific case of the external RA
    The method for adding a new domain name requires that an operator of the external RA will request to add it by using a specific button "add a domain name" and then enters its domain name
    The RA will then send automatically an e-mail to the five required e-mail address, containing a clickable URL.
    When any of these will be clicked on, the domain name will be registered; the click shall occur within a thirty days period after sending.
    A notification is send to Certinomis RA administrator that shall confirm the addition of this domain name in the RA after control of the belonging of it.
    After this, the external RA operator can request certificates for this domain name and validate these directly.

The order of operation in this point B-3 is as follow:

  • Requesting addition of the domain name in the GUI
  • Sending an e-mail with a clickable URL by the RA Software to the five "predetermined" addresses;
  • Click on the URL by one of the recipient within 30 days;
  • Control of the owner of the domain name manually by a Certinomis human operator and request of domain name authorisation, or any proof of a contractual link between the owner of the domain name and the applicant, if the client is not the owner of the domain name;
  • Validation of the domain name in the External RA space.

To avoid any doubt, it will not be possible for our operators to proceed to #5 if #1 to #3 have not be previously performed in the order described above.

Kind Regards,

François

Flags: needinfo?(francois.chassery)

Thank you for the additional information Francois.

While comments may continue, I'm marking this bug invalid based on the information that has been presented.

Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.