1575125 - DigiCert: Apple: Unconstrained intermediate CAs not included in WTBR report

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Apple CA]

Incident Report

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

   On 25-July-2019, our Root provider, DigiCert, notified us that Apple IST CAs 5, 6 and 7 needed to be included on an amended WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security (WTBR) report for the 16-April-2018 to 15-April-2019 audit period to comply with the audit requirements of the Mozilla Root Store Policy as they are non-constrained CAs capable of issuing TLS server certificates. On 05-August-2019, DigiCert notified us of the “Failure to disclose Unconstrained Intermediate within 7 Days” incident report.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

   • 25-July-2019: DigiCert notified us that Apple IST CAs 5, 6 and 7 needed to be included on an amended WTBR report for the 16-April-2018 to 15-April-2019 audit period to comply with the audit requirements of the Mozilla Root Store Policy as they are non-constrained CAs capable of issuing TLS server certificates.

   • Between 25-July-2019 and 05-August-2019: We had on-going communication with DigiCert to clarify the nature of the incident and to identify appropriate remediation actions. We also began internal discussions on the remediation plan as well as initial discussions with Ernst & Young (our WebTrust assessors). We confirmed that no TLS server certificates had been issued from the CAs.

   • 05-August-2019: DigiCert notified us of the “Failure to disclose Unconstrained Intermediate within 7 Days” incident report.

   • 06-August-2019: We met with the WebTrust assessors to finalize the plan to amend the WTBR report for the 16-April-2018 to 15-April-2019 audit period.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

   N/A - no TLS server certificates have been issued from Apple IST CAs 5, 6 or 7.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

   N/A - no TLS server certificates have been issued from Apple IST CAs 5, 6 or 7.

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

   Apple did not include three unconstrained CAs in our most recent WTBR report. These CAs were however included in the WebTrust Principles and Criteria for Certification Authorities (WTCA) report.

   • Apple IST CA 5 - G1: https://crt.sh/?id=12716200
   • Apple IST CA 6 - G1: https://crt.sh/?id=19602741
   • Apple IST CA 7 - G1: https://crt.sh/?id=19602724

   No TLS certificates were issued from Apple IST CAs 5, 6 or 7.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

   At the time Apple IST CAs 5, 6, and 7 were created (June-2014), the requirement to include unconstrained CAs in the WTBR audit was ambiguous. However, the CAs were, and have always been, included in the WTCA audit. Because they were never used to issue TLS server certificates, and we were not following the discussions in the mozilla.dev.security.policy (m.d.s.p.) thread during the time that Version 2.4.1 of the Mozilla Root Store Policy was adopted, they were not included in the WTBR audit. This oversight was not detected until 25-July-2019 when we were notified by DigiCert.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

   • We are working with our WebTrust assessors to amend our most recent WTBR audit to scope in Apple IST CAs 5, 6, and 7. The audit work is expected to be complete by the end of September.

   • We have reviewed all CAs to ensure that audit scoping is appropriate and have updated our processes to ensure that any future CAs that are created fall within the appropriate audits per Mozilla’s requirements.

   • Subsequent to the effective date of Version 2.4.1, and prior to identifying the current issue, a process was implemented to monitor the m.d.s.p. thread.

   We expect to provide the next update on or about September 30.

Comment 1

[Ryan Sleevi]

As communicated to DigiCert in Bug 1563573, these certificates need to be revoked.

In terms of applying consistent, equal standards to CAs, and based on the evidence and information at hand, there is no reasonable path to 'correct' years of missing audits retroactively. This is entirely consistent with how Symantec issues were handled, and viewed as a deeply concerning, systemic issue

Comment 2

[Wayne Thayer]

Per bug #1563573 comments 38 and 39, these three Apple subCAs will be added to OneCRL to remediate this incident.

Comment 3

[Apple CA]

The following CA certificates have been revoked by DigiCert:

• Apple IST CA 5 - G1: https://crt.sh/?id=12716200
• Apple IST CA 6 - G1: https://crt.sh/?id=19602741
• Apple IST CA 7 - G1: https://crt.sh/?id=19602724

Comment 4

[Wayne Thayer]

These CAs are also now in OneCRL.