Closed Bug 1596949 Opened 26 days ago Closed 9 days ago

Government of Spain FNMT: CP/CPS lack CAA processing details

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: agwa-bugs, Assigned: alain)

Details

(Whiteboard: [ca-compliance])

BR 2.2 states:

Effective as of 8 September 2017, section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state the CA's policy or practice on processing CAA Records for Fully Qualified Domain Names; that policy shall be consistent with these Requirements. It shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA "issue" or "issuewild" records as permitting it to issue. The CA SHALL log all actions taken, if any, consistent with its processing practice.

However, the CP/CPS disclosed for https://crt.sh/?sha256=DB0DA16032F1643A2496FDE742E2BBE81DACA58CD7612061420E154CE1BCE2BD lack any mention of CAA processing in section 4.2 or 4.1:

The latter document does discuss CAA processing in 6.1.1, but it doesn't specify the Issuer Domain Names.

Angel: Can you provide more details here, along with an incident response that analyzes the root cause for this?

I tried to assign to Rafael Medina, FNMT's primary PoC and who is listed in CCADB as having a Bugzilla account, but that failed. Can you confirm the contact information is correct?

Assignee: wthayer → alain
Flags: needinfo?(alain)
Whiteboard: [ca-compliance]

Effectively, the CP/CPS does not specify the set of Issuer Domain Names that the CA recognises in CAA "issue" records as permitting it to issue. We have recently identified this lack and it has been collected in order to do other changes of the CPS (continuous improvement process).
However, since this topic not compliant BR, we are going to modify CPS for the next days. We will inform about it.
Regarding to the contact info, it is neccesary to change the FNMT's primary PoC to my person, but I could not do it.

Please find herewith the links to the approved new version for our CPSs, which includes explicitly the set of Issuer Domain Names recognized by the FNMT-RCM in the CAA “issue” records:

CPS for AC Componentes Informáticos v.1.10 (section 6.1.1, paragraph #69)
https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_componentes_english.pdf/00a355e9-9e07-47d8-b034-0693c887c328

We have also include this reference in the following CPS which was also missing:
CPS Qualified Electronic Venue Certitificates AC Administración Pública v.1.2 (section 4.2.2 paragraph #79)
https://www.sede.fnmt.gob.es/documents/10445900/10745629/DPC_Sedes_english.pdf/22c7b64a-6778-0b37-3d7c-d018069ef6ba

Alain: Please respond with a full incident report as described at https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

Please find herewith the reuqired incident report:

1 - FNMT became aware that there were 2 CPS (the one for AC Componentes Informaticos and for Electronic venues - AC Administraciones Públicas) that did not explicitly indicate the Issuer Domain Name recognized by the FNMT CAs in the CAA “issue” records, during an internal documentary self-audit carried out on week 45.
2- As a result of the last documentary self-audit, changes to the CPSs were made in order to include such reference in both CPSs on week 45. Changes have been approved and published on November 18th.
3. There are no certificates issued without CAA record checking.
4. There are no certificates issued without CAA record checking.
5. There are no certificates issued without CAA record checking.
6. The failure of including explicit reference to the Issuer Domain Name recognized by the FNMT, was due to a transcription error between CPS draft versions.
7. In order to avoid such inadvertences, documentary self-audits will be made more frequently from now on.

Wayne: This incident report does not inspire much confidence (if any). It definitely feels to the level of "Whoops, our bad". I think this is particularly a concern with the new Mozilla policy rolling out, and the steps being taken by the CA to ensure compliance. However, since CAs are ultimately judged by (and potentially trust lost by) the level of detail they provide in incident responses, I think we can close this out?

Flags: needinfo?(alain) → needinfo?(wthayer)

I agree that this incident report is lacking, but I'm resolving this because I don't expect to receive a more meaningful response from the CA. FNMT is welcome to analyze other incident bugs and provide a more thoughtful response even though the bug is resolved.

Status: UNCONFIRMED → RESOLVED
Closed: 9 days ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.