Closed Bug 1549861 Opened 5 years ago Closed 4 years ago

Camerfirma: Outdated audit statements for intermediate certs

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kwilson, Assigned: eusebio.herrera)

Details

(Whiteboard: [ca-compliance] [audit-failure])

The following intermediate certs have outdated audit statements.

Please update their records in the CCADB with the current audit statement information as soon as possible.

https://ccadb.org/cas/intermediates

Please also provide an Incident Report for having overdue audit statements.
https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

CA Owner: AC Camerfirma, S.A.

  • Certificate Name: InfoCert Organization Validation CA 3
    SHA-256 Fingerprint: 247A6D807FF164031E0EB22CA85DE329A3A4E6603DBC6203F0C6E282A9C9EA84
    Standard Audit Period End Date (mm/dd/yyyy): 12/06/2017
    BR Audit Period End Date (mm/dd/yyyy): 12/06/2017

  • Certificate Name: Intesa Sanpaolo Organization Validation CA
    SHA-256 Fingerprint: 27CDD699DE15EE88A05BB10ED9DF2FC5E4CA25B5FDD42988963A38EC8940D55A
    Standard Audit Period End Date (mm/dd/yyyy): 12/07/2017
    BR Audit Period End Date (mm/dd/yyyy): 12/07/2017

  • Certificate Name: MULTICERT SSL Certification Authority 001
    SHA-256 Fingerprint: 06A57D1CD5879FBA2135610DD8D725CC268D2A6DE8A463D424C4B9DA89848696
    Standard Audit Period End Date (mm/dd/yyyy): 12/19/2017
    BR Audit Period End Date (mm/dd/yyyy): 12/19/2017

Assignee: wthayer → eusebio.herrera
Status: NEW → ASSIGNED

We have updated the audit statements in CCADB.

(In reply to Eusebio Herrera from comment #1)

We have updated the audit statements in CCADB.

Thanks.

Please also provide an Incident Report for the delay in updating the CCADB with the current audit statements.
https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

We're still awaiting an incident report regarding the failure to update this information.

Flags: needinfo?(eusebio.herrera)

Emailed POCs on 2019-07-04 regarding this issue, highlighting https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed

We are working to incorporate the incident report about this bug before 2019-07-18.

Camerfirma folks: It's now two months. We have zero updates.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

Camerfirma first became aware of the problem consisted in the overdue of audit statements as a result of the Bugzilla bug on the 2019-05-07.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

In response to the issue, Camerfirma updated the information registered in the CCADB with the data related to the audits performed for those certificates on the 2019-06-05.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

The problem registered has not made the CA stop issuing certificates at any moment.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

The affected certificates were the following:

CA Owner: AC Camerfirma, S.A.
• Certificate Name: InfoCert Organization Validation CA 3
SHA-256 Fingerprint: 247A6D807FF164031E0EB22CA85DE329A3A4E6603DBC6203F0C6E282A9C9EA84
Standard Audit Period End Date (mm/dd/yyyy): 12/06/2017
BR Audit Period End Date (mm/dd/yyyy): 12/06/2017
• Certificate Name: Intesa Sanpaolo Organization Validation CA
SHA-256 Fingerprint: 27CDD699DE15EE88A05BB10ED9DF2FC5E4CA25B5FDD42988963A38EC8940D55A
Standard Audit Period End Date (mm/dd/yyyy): 12/07/2017
BR Audit Period End Date (mm/dd/yyyy): 12/07/2017
• Certificate Name: MULTICERT SSL Certification Authority 001
SHA-256 Fingerprint: 06A57D1CD5879FBA2135610DD8D725CC268D2A6DE8A463D424C4B9DA89848696
Standard Audit Period End Date (mm/dd/yyyy): 12/19/2017
BR Audit Period End Date (mm/dd/yyyy): 12/19/2017

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

N/A

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

This bug has been registered because of the following reasons:

  • We had established only one communication channel between the SubCA and Camerfirma.
  • We called one only responsible for the review of the audit reports and the update of the CCADB without considering any substitutes in case of absence.
  1. Mainly audit has found issues in the RA procedures about technical environment. We depend on the annual audit to control the SubCA procedures and check the technical environment.List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

We have established the following steps to prevent these kinds of issues in the future:

  • Define an automatic process to collect the reports from the SubCAs periodically.
  • Define a list of responsibles for this activity who receive and are capable of manage and register the information.
  • Create a new channel for the communication between Camerfirma and the SubCAs through the email account acreditaciones@camerfirma.com. All the responsible will receive the information and the tasks will be assigned internally to one of them.
Flags: needinfo?(eusebio.herrera)

Eusebio: thank you for the incident report.

You state that "We depend on the annual audit to control the SubCA procedures and check the technical environment" but Camerfirma did not notice that these audits were missing until informed by Mozilla. This leads me to believe that Camerfirma does not provide adequate oversight for these unconstrained subCA, and that is greatly concerning. Please describe in detail the processes that Camerfirma uses to ensure that all of its subCAs are operating according to Mozilla anf Camerfirma policies.

Also, please explain why this incident report was so terribly late in being delivered, and what Camerfirma will to to ensure that incident updates are timely in the future.

I will expect responses to these questions within one week from today as described in Mozilla's incident reporting guidance (https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed).

Flags: needinfo?(eusebio.herrera)

I would suggest that you review https://bugzilla.mozilla.org/show_bug.cgi?id=1566162 to get a sense for how another CA has responded to this type of concern.

The detailed process that Camerfirma has implemented (or is going to implement) to ensure that all of its subCAs are operating according to Mozilla and Camerfirma policies includes the following measures:

  1. Use an internal tool to register and be able to control all the audits that we have to perform to the subCAs. In this tool we are going to register the following information:

a. Name of the SubCA
b. Standard Audit Information
c. BR Audit Information
d. EV SSL Audit Information

  1. Generate alerts to follow up the audits and deadlines

  2. Establish states for the requests

a. Planned
b. Completed
c. Documentation received
d. Published
e. Updated

In relation to the delay in our responses to your comments and information requests, we have been having problems with the assignation of resources to the management and bug’s follow-up. We can only say that from now we have been worked in an alert system to avoid that situation in the future and manage the responses in a proper and timely manner.

Flags: needinfo?(eusebio.herrera)

(In reply to Eusebio Herrera from comment #10)

The detailed process that Camerfirma has implemented (or is going to implement) to ensure that all of its subCAs are operating according to Mozilla and Camerfirma policies includes the following measures:

  1. Use an internal tool to register and be able to control all the audits that we have to perform to the subCAs. In this tool we are going to register the following information:

Eusebio: when will this tool be put into use by Camerfirma?

Flags: needinfo?(eusebio.herrera)

The tool that we choose initially to control and follow up the audits of all our CAs was Smartsheet. We have been using it until now. However, as a decision of the company, we have migrated to Microsoft Office 365 and the company’s recommendation is trying to use the tools included in that environment.

We have been testing the new tools in parallel to Smartsheet to perform the same tasks and we are also satisfied with their results, so we have decided to stop using Smartsheet and use only those new tools from January 31st

Flags: needinfo?(eusebio.herrera)
Flags: needinfo?(wthayer)

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [audit-failure]
You need to log in before you can comment on or make changes to this bug.