Thanks for your comments.
Agree with you. Audits are not the only answer to control a delegated SubCA, but it’s a root program requirement. We could implement some other measures if the root program required it. Nevertheless, I would like to provide you and the community with a deeper explanation of our process to issue a delegated SubCA certificate and the current controls we have already implemented and those we want to implement in order to gain control over every certificate issued under any Camerfirma root.
1.- First of all, every SubCA certificate issuance must be approved by our Board of Directors. All requests are evaluated in base of the organization activity, financial situation and technical knowledge. In fact, all of our SubCA are ruled by organizations with a previous commercial and/or institutional relationship with Camerfirma. So far Camerfirma have issued only three delegated SSL SubCAs: Infocert (institutional), Intesa SanPaolo (commercial relationship through Infocert ) and Multicert (previous commercial relationship).
2.- We control them legally by means of a contract which states that Camerfirma could take any action in case of any violation of our Policies, CPS, BR and EV requirement. We had already included in the contract the need of revoking misissued certificates in the terms stated by the BR requirements, otherwise a complete report with a remediation plan is needed.
3.- Every delegated SubCAs have its own lint control but a second pre-issuance checking against Camerfirma central lint (working as a REST service from 2019-03-22) must be carry out. Only after a successful checking against Camerfirma central lint the certificate is issued otherwise an error message is sent by the REST service. Moreover, a quality control operator make a daily post-issuance control (crt.sh) of every certificate issued by any of our SubCAs. This last step is helping us improve our central lint, in case of we still found misissued certificates.
All certificates issued by Intesa and Infocert since April 2018 have been issued properly thanks to Camerfirma central lint control. This is also true for Multicert since the bugs detected are related to other issues like audit reports, revocation period. etc, and without taking into account the entropy issue.
The bugs you mentioned also show that we are, in some cases, not answering to your requirements in a timely manner and with a no comprehensive and deep description. In this way we are going to change the way we interact with the root programs improving bug management and strengthen the controls at a Directive level.
Regarding the Bug 1557085,
(Certificates misissued in April 2018) This bug was detected by Camerfirma quality team in a corrective post issuance control. Lint control was not working in those days.
Additionally, we have an issue about revoking time. We found that we should be more precise about the explanation, case by case. To solve this problem, Camerfirma will work with the delegated SubCAs to define a contingence procedure to substitute the misissued certificates in a timely basis. To achieve this is important to involve end user in this contingence plan and make them aware of this possible situation.
Missing Audit. At this moment all audit issues have been solved. Nevertheless, we will increase the control about audit timing. Camefirma review the audit presented by the delegated SuBCA previously to disclosed in the CCADB. Sometimes we found problems about the scope or some bugs not declared in the audit report and a new version is needed. This process is time consuming and jeopardize fulfilling the CCADB disclosed deadline.
In this bug we weren’t able, as many other CA´s, to detect by means of the lint control this mistake. We already fixed this problem in our central lint in order to avoid this problem in the future.
Regarding the Multicert Audit is already solved. Problems with the audit report already described in the previous bug. Camerfirma works with the delegated SUbCAs in order to solve this problems.
We face the same issue about revocation period. We have notified SubCAs obligation to fulfil the period of revocation and disclose this information for all customers this issue. A complete information must be providing in case wasn’t possible due to produce a high-risk situation.
To solve this issue more resources have been dedicated to delegated SubCAs management and control. People from the compliance area has been added to the Technical staff team.
Bug 1509002 (Camerfirma: MULTICERT certificates with a validity period greater than 825 days), Resolved by the Camerfirma Central Lint
Bug 1481862 (MULTICERT organizationName Too Long), Resolved by the Camerfirma Central Lint
Bug 1455147 Camerfirma: (Missing audit for Intermediate certificate), New team: Technical & compliance is working from now on to control audit report timing with the delegated SubCAs.
and Bug 1426233 (Infocert - Non-BR-Compliant OCSP Responders). At the moment we have a team in charge of identifying changes to make sure that, all ramifications of all changes to the BRs are incorporated into our operations both procedural and technical.
1443857 (Non-BR-Compliant Issuance - DNSName is empty) In this case lint is for internal use in Camerfirma (to be ready next August the 15th), not for SubCA.
1357067 (certs with duplicate SANs and without localityName or stateOrProvinceName),
This case is also for internal Camerfirma PKI platform use (external RA) 2 years ago and was corrected. At that moment Camerfirma do not have delegated RA for SSL.
As we have mentioned before Multicert as the other delegated SUbCA will be controled by the special multifuntional team, in order to get a full direct and impartial knowledge of Multicert procedures, and the already working preissuance central lint control filter as well.
In conclusion, based on the previous comments, we would like to emphasize that from Camerfirma we have dedicated, and continue dedicating, resources and efforts to improve and increase our levels of requirement to comply with the BR and EV ones. Although the vicissitudes of the experiences can sometimes generate errors or quality defects, at least these have the merit of generating the improvement of our procedures, in particular thanks to the reinforcement of our quality and compliance departments and the application of internal procedures and external controls related to the BR and even more. We want to convince the Community that our procedures, as well as the additional improvements we are proposing now, are applied (and will be applied) in a strict way and not only regarding to a technical level but also in our identification procedure and document requirements prior to the certificates issuance, which are not always visible to the Community.
You can rest assured that our main interest is that the Community trusts us just like we trust the Community, and for these purposes we are working and collaborating to solve any problems that can happen regarding to Camerfirma certificates and delegated SubCA certificates.