- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
Camerfirma first became aware of the problem consisted in the overdue of audit statements as a result of the Bugzilla bug on the 2019-05-07.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
In response to the issue, Camerfirma updated the information registered in the CCADB with the data related to the audits performed for those certificates on the 2019-06-05.
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
The problem registered has not made the CA stop issuing certificates at any moment.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
The affected certificates were the following:
CA Owner: AC Camerfirma, S.A.
• Certificate Name: InfoCert Organization Validation CA 3
SHA-256 Fingerprint: 247A6D807FF164031E0EB22CA85DE329A3A4E6603DBC6203F0C6E282A9C9EA84
Standard Audit Period End Date (mm/dd/yyyy): 12/06/2017
BR Audit Period End Date (mm/dd/yyyy): 12/06/2017
• Certificate Name: Intesa Sanpaolo Organization Validation CA
SHA-256 Fingerprint: 27CDD699DE15EE88A05BB10ED9DF2FC5E4CA25B5FDD42988963A38EC8940D55A
Standard Audit Period End Date (mm/dd/yyyy): 12/07/2017
BR Audit Period End Date (mm/dd/yyyy): 12/07/2017
• Certificate Name: MULTICERT SSL Certification Authority 001
SHA-256 Fingerprint: 06A57D1CD5879FBA2135610DD8D725CC268D2A6DE8A463D424C4B9DA89848696
Standard Audit Period End Date (mm/dd/yyyy): 12/19/2017
BR Audit Period End Date (mm/dd/yyyy): 12/19/2017
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
This bug has been registered because of the following reasons:
- We had established only one communication channel between the SubCA and Camerfirma.
- We called one only responsible for the review of the audit reports and the update of the CCADB without considering any substitutes in case of absence.
- Mainly audit has found issues in the RA procedures about technical environment. We depend on the annual audit to control the SubCA procedures and check the technical environment.List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
We have established the following steps to prevent these kinds of issues in the future:
- Define an automatic process to collect the reports from the SubCAs periodically.
- Define a list of responsibles for this activity who receive and are capable of manage and register the information.
- Create a new channel for the communication between Camerfirma and the SubCAs through the email account firstname.lastname@example.org. All the responsible will receive the information and the tasks will be assigned internally to one of them.