Closed Bug 1565494 Opened Last month Closed 11 days ago

CFCA: Missed CPS update publication on website in 2018

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: sunny_bxl, Assigned: sunny_bxl)

Details

(Whiteboard: [ca-compliance])

Attachments

(1 file)

15.39 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36

Steps to reproduce:

  1. The risk and compliance work would start earlier in the future for any key practice change.
  2. The CPS writing and review work flow would be modified to meet annual publish better.

Actual results:

As requested by Mozilla and Google, CFCA maintained annual update to CFCA Global Trust CPS and published on website. Since certificate transparency requirements started in force in May,2018, CFCA spent a long time to evaluate the compliance and policy risks that compared with China Laws about information security and commercial cryptography regulations. By the other side, CFCA decided to stop codesigning business since March 2018 and revoked the subordinate CA (CFCA EV CodeSign OCA and CFCA OV CodeSign OCA) in October 2018. For these two important changes in this business, we decide to update a key version (V3.3 to V4.0) to global trust system CPS and this led the missing update publication in 2018.

Expected results:

CFCA would publish the new version of CPS in late of July or the early of August in 2019.

Assignee: nobody → wthayer
Component: Documentation → CA Certificate Compliance
QA Contact: jjones → wthayer
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Dan: will you please remove the security-sensitive flag from this bug?

Assignee: wthayer → sunny_bxl
Type: defect → task
Flags: needinfo?(dveditz)
Whiteboard: [ca-compliance]
Group: crypto-core-security
Flags: needinfo?(dveditz)

Oliver: thank you for this incident report.

  • Please update your answer to question #1 to describe how CFCA discovered this problem. From the answer to question #2, it sounds like CFCA was aware of this requirement but failed to disclose the fact that it had been violated until now. Also, the answer to question #2 should look something like this:

September 1, 2017: CFCA updated CPS to version 3.3
May 1, 2018: CT requirements in effect. Work begins on CPS version 4.0
September 1, 2018: Failed to meet requirement to update CPS annually.
July 12, 2019: Incident reported
August 1, 2019: Version 4.0 of CPS will be published

  • Why was it not possible for CFCA to publish a 'version 3.4' without the changes that were the cause of the delays?

  • It appears to me that CFCA's current CPS (version 3.3) does not comply with the BRs. Section 3.2.2.1(6) appears to allow the use of domain validation methods that are now forbidden. Has CFCA reviewed the CP and CPS and disclosed all parts that violate the BRs?

  • How long does it normally take CFCA to obtain approval to update the CP or CPS? Mozilla expects CAs to incorporate new requirements (BR or Mozilla policy) within a "reasonable" amount of time, meaning within 60 days of the requirement going into effect. Please confirm that CFCA is capable or meeting this expectation, or if not, please explain what CFCA will change so that it can meet this expectation in the future?

Flags: needinfo?(sunny_bxl)

(In reply to Wayne Thayer [:wayne] from comment #2)

Oliver: thank you for this incident report.

  • Please update your answer to question #1 to describe how CFCA discovered this problem. From the answer to question #2, it sounds like CFCA was aware of this requirement but failed to disclose the fact that it had been violated until now. Also, the answer to question #2 should look something like this:

September 1, 2017: CFCA updated CPS to version 3.3
May 1, 2018: CT requirements in effect. Work begins on CPS version 4.0
September 1, 2018: Failed to meet requirement to update CPS annually.
July 12, 2019: Incident reported
August 1, 2019: Version 4.0 of CPS will be published

  • Why was it not possible for CFCA to publish a 'version 3.4' without the changes that were the cause of the delays?

  • It appears to me that CFCA's current CPS (version 3.3) does not comply with the BRs. Section 3.2.2.1(6) appears to allow the use of domain validation methods that are now forbidden. Has CFCA reviewed the CP and CPS and disclosed all parts that violate the BRs?

  • How long does it normally take CFCA to obtain approval to update the CP or CPS? Mozilla expects CAs to incorporate new requirements (BR or Mozilla policy) within a "reasonable" amount of time, meaning within 60 days of the requirement going into effect. Please confirm that CFCA is capable or meeting this expectation, or if not, please explain what CFCA will change so that it can meet this expectation in the future?

Hi, Wayne:

  1. According to our previous reply, CFCA made a major business adjustments in 2018, because CT requires disclosure of CA logs, we had a long internal discussion about this business impact, a small version of the CPS changes don't conform to the requirements of the relevant document management of CFCA. Because of we revoked EV CodeSign and OV CodeSign at October 2018 finally, as a result, finalized and inform the customer related business impact work until January 2019.

  2. The compilation and approval period of CFCA internal documents is generally 3 months. Due to the CA log data will outbound from China in 2018, it needs to be filed with the competent authority, only after it is approved, we can reflected it in CPS.

  3. In the future, CFCA will control the change of document version strengthenly, and evaluate the possible major business changes in advance, so as to prevent the delay of revision caused by major business changes

Flags: needinfo?(sunny_bxl)

CFCA would publish the new version of CPS in late of July or the early of August in 2019.

Oliver: Has the new version of the CPS been published?

Early August has gone by. Why has no one from CFCA updated this bug?

Your response still does not explain how and when CFCA became aware of this violation? If CFCA was aware since September 2018, why was it not reported then, and why has it taken more than 11 months to publish a new version.

Flags: needinfo?(sunny_bxl)

(In reply to Wayne Thayer [:wayne] from comment #4)

CFCA would publish the new version of CPS in late of July or the early of August in 2019.

Oliver: Has the new version of the CPS been published?

Early August has gone by. Why has no one from CFCA updated this bug?

Your response still does not explain how and when CFCA became aware of this violation? If CFCA was aware since September 2018, why was it not reported then, and why has it taken more than 11 months to publish a new version.

Wayne:

As comment#3 said, CFCA made a major business adjustments in 2018, finalized and inform the customer related business impact work until January 2019 and we take lot of times on the compilation and approval period of CFCA internal documents. As a result, we didn’t release the CPS in time.
 
We became aware of this since December 2018, but we weren't familiar with the reporting mechanism before, we didn't realize it need to be reported until Ryan reminded us, and then we submitted report immediately.
 
We have been promoting the revision, review and release of CPS, It has been published on August 9, Please visit this link for the new version, Thanks.
https://www.cfca.com.cn/upload/CertificationPracticeStatementOfCFCAGlobal-TrustSystemENG.pdf

Flags: needinfo?(sunny_bxl)

Oliver: thank you for your reply. I understand that CFCA identified the failure to publish an updated CPS in December 2018 and did not remediate the problem until 7 months later, on August 9 (8 days later than the CA's own deadline). Further, CFCA representatives failed to notify Mozilla that publication of the new CPS had been delayed.

The extreme delay in CPS updates is not acceptable. It means that CFCA can effectively ignore deadlines imposed in policy by Mozilla and the CA/Browser Forum. This incident, including the failure to notify Mozilla, and the failure to remediate the issue in a reasonable amount of time, has significantly reduced my confidence in CFCA to operate a trustworthy CA.

It appears that all questions have been answered and remediation is complete, so despite my concerns, I am resolving this bug.

Status: ASSIGNED → RESOLVED
Closed: 11 days ago
Resolution: --- → FIXED

(In reply to Wayne Thayer [:wayne] from comment #6)

Oliver: thank you for your reply. I understand that CFCA identified the failure to publish an updated CPS in December 2018 and did not remediate the problem until 7 months later, on August 9 (8 days later than the CA's own deadline). Further, CFCA representatives failed to notify Mozilla that publication of the new CPS had been delayed.

The extreme delay in CPS updates is not acceptable. It means that CFCA can effectively ignore deadlines imposed in policy by Mozilla and the CA/Browser Forum. This incident, including the failure to notify Mozilla, and the failure to remediate the issue in a reasonable amount of time, has significantly reduced my confidence in CFCA to operate a trustworthy CA.

It appears that all questions have been answered and remediation is complete, so despite my concerns, I am resolving this bug.

Wayne:

Since CFCA joined CA/Browser Forum, there are few mistakes in our business. Whatever, we made a mistake in this incident. As members, we should understand the policy about Mozilla and the CA/Browser Forum, but we didn’t have a good job recently.

I’m sorry for this. We have realized some problems and we will solve them timely.

Thanks again for the work you do.

You need to log in before you can comment on or make changes to this bug.