Closed Bug 1567061 Opened 5 years ago Closed 5 years ago

GoDaddy: inconsistent disclosure of externally-operated intermediate

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: agwa-bugs, Assigned: jfox)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

GoDaddy has disclosed the following intermediates as being operated under the same CP/CPS as parent:

https://crt.sh/?sha256=28689B30E4C306AAB53B027B29E36AD6DD1DCF4B953994482CA84BDC1ECAC996
https://crt.sh/?sha256=2D12B619A660CEFB013271831D891213FC434E982A21568256CF4E2E86324BEA

However, the same subject + SPKI is found in this Amazon Trust Services root certificate, which has a different CP/CPS:

https://crt.sh/?sha256=568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee: wthayer → jfox
Whiteboard: [ca-compliance]

GoDaddy acknowledges the inquiry. We will work to have a response to the community by EOD, July 26th.

These certificates were issued by GoDaddy as cross-certificates, and were signed by root certificates controlled by GoDaddy. In 2015 Amazon Trust Services acquired the root certificate https://crt.sh/?sha256=568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5 from GoDaddy and it is now operated under Amazon’s CP/CPS.

Joanna: Thanks for that explanation. However, I believe that's the point of concern/confusion; GoDaddy has disclosed both https://crt.sh/?sha256=28689B30E4C306AAB53B027B29E36AD6DD1DCF4B953994482CA84BDC1ECAC996 and https://crt.sh/?sha256=2D12B619A660CEFB013271831D891213FC434E982A21568256CF4E2E86324BEA and bound to the same CP/CPS as GoDaddy, and covered by GoDaddy's audit.

Both certificates are clearly not part of GoDaddy's audit, based on Appendix A, and based on Comment #2, also not bound by GoDaddy's CP/CPS anymore.

In terms of incident reporting, it seems that we're in agreement that GoDaddy should have disclosed both cross-certificates as under Amazon's audit and Amazon's CP/CPS, which GoDaddy is responsible for maintaining in CCADB for these two cross-certificates.

Have I misunderstood the report or the facts? If not, it would be good to file an incident report, on this bug, as to why GoDaddy disclosed this as "Audit same as parent" and "CP/CPS Same as parent", despite having transitioned control to Amazon. Similar to other CAs, it would be good to go through every disclosure by GoDaddy in CCADB and ensure it is correct, associated with the correct audit and CP/CPS, and report back any further corrections.

Flags: needinfo?(jfox)
Summary: GoDaddy / Amazon Trust Services: inconsistent disclosure of externally-operated intermediate → GoDaddy: inconsistent disclosure of externally-operated intermediate

It has been a week since GoDaddy's last response. Therefore, per Mozilla's incident response guidelines, GoDaddy needs to provide an update today explaining their progress in correcting this issue.

I believe there has been a misunderstanding of the information and I'll do my best to clear it up. The cross-certificates [1][2] were issued by a GoDaddy root [3] that is still bound to the GoDaddy CP/CPS and CCADB. The root certificate [4] was transferred to Amazon Trust Services at a later date. That is why the we have the cross-certificates [1][2] listed under our CP/CPS and CCADB while the root [4] is under Amazon's CP/CPS.

[1] https://crt.sh/?sha256=28689B30E4C306AAB53B027B29E36AD6DD1DCF4B953994482CA84BDC1ECAC996
[2] https://crt.sh/?sha256=2D12B619A660CEFB013271831D891213FC434E982A21568256CF4E2E86324BEA
[3] https://crt.sh/?sha256=1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658
[4] https://crt.sh/?sha256=568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5

We do agree that we should include these cross-certificates within Appendix A of our audit reports, and with the recommendation to audit CCADB to ensure all information is correct. We are currently working with our auditors on both efforts to make the necessary updates as soon as possible. However, our first priority is the work required for this investigation to best ensure we can avoid any additional issues in the future. We will provide a timeline of resolution of these items as soon as possible.

As always, we thank the community for bringing this to our attention and giving us the opportunity to address this appropriately.

Flags: needinfo?(jfox)

We have submitted our updated audit reports for review, see Bug 1572234 for more information regarding our cross certificate disclosures.

I see that the GoDaddy audit reports now include these certificates, so from an audit perspective I view this issue as having been resolved.

Mozilla policy is unclear on the proper CP/CPS disclosure in CCADB for cross-certificates, as discussed on m.d.s.p., so I consider this incident to be resolved. I have filed a CCADB issue to track future clarification of these requirements.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.