QuoVadis: Unconstrained CAs revocation
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: stephen.davidson, Assigned: stephen.davidson)
Details
(Whiteboard: [ca-compliance] [ca-revocation-delay])
How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We have previously reported 18 unconstrained subCAs that were not properly disclosed in a WebTrust for BR report. See https://bugzilla.mozilla.org/show_bug.cgi?id=1581597.
On 15 Nov, Ryan Sleevi noted on mdsp expectations for revocation of such subCAs: https://groups.google.com/d/msg/mozilla.dev.security.policy/M7NGwCh14DI/9Go4rOTgBgAJ
This disclosure relates to the fact that the 18 CAs were not revoked within the seven days allowed by the BR section .4.9.1.2.
A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events.
See https://bugzilla.mozilla.org/show_bug.cgi?id=1581597.
Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.
NA
A summary of the problematic certificates.
See https://bugzilla.mozilla.org/show_bug.cgi?id=1581597.
The complete certificate data for the problematic certificates.
See https://bugzilla.mozilla.org/show_bug.cgi?id=1581597.
Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
As noted in the original disclosure, although the subCAs were “technically capable” of issuing TLS under the Mozilla definition, the subCAs neither had TLS policies configured nor were enabled to issue TLS through our certificate management system.
The subCAs were omitted from the WebTrust for BR report because of an error (based on a misinterpretation of the browser policies) in the way we defined our assertion for the WebTrust for BR, not because these subCA were not subject to audit.
As noted in the original disclosure, the subCAs are used to issue certificates to individuals (both in personal contexts as well as corporate contexts) as well as uses such as e-Seals, and many of those certificates are issued on smartcards and crypto-tokens. There is limited opportunity to automate the reissuance of the end entity certificates, and QuoVadis is actively working with users to reissue new certificates from replacement CAs.
QuoVadis has committed to revoke the CAs on a schedule outlined in https://bugzilla.mozilla.org/show_bug.cgi?id=1581597#c12. In addition, QuoVadis has retained Ernst & Young LLP to provide an AT105 attestation report for the years 2014-2017 for the 12 unrevoked CAs
We do not consider the failure to revoke these intermediate certificates within the BR time period to be a security issue. However, we do understand the importance of the compliance issue and have requested that all 18 subCAs be added to OneCRL. Seven of the 18 subCAs have already been revoked, with another two to be revoked in the coming days. QuoVadis will move forward subCA revocation as possible, to be updated in the original bug disclosure.
List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
These ICAs are older, before QuoVadis commenced using explicit EKU in line with changing industry expectations. All new QuoVadis subCAs now include EKU, making explicit their applicability for audit disclosure.
Moreover, QuoVadis has adopted the use of Confluence and Jira to track standards, processes and signoffs in the creation and reporting of new subCAs in line with the practices of our corporate parent.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 1•4 years ago
|
||
As noted in Bug 1581597, 10 of the 12 CAs have now been revoked. The two remaining CAs require the replacement of a large number of end entity certificates and are scheduled for revocation on 31 March 2020. Unless there is significant activity to report in the interim, this bug will not be updated until then.
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 2•4 years ago
|
||
As noted in Bug 1581597, the closure of this bug is dependent on the ability to bring external auditors in, which has been complicated by COVID-19 office workplace restrictions imposed by the local Government. As noted, we expect additional information during the week of May 25.
|
|
Assignee | |
Comment 3•4 years ago
|
||
Access restrictions remain unchanged. We will update again during the week of June 8.
|
|
Assignee | |
Comment 4•4 years ago
|
||
The official COVID access restrictions have now been lifted, and plans are proceeding to complete the revocation and key destruction of these final two ICAs during the week of June 22.
|
|
Assignee | |
Comment 5•4 years ago
|
||
As noted above, as COVID-19 access restrictions were lifted, the final 2 of 18 subCAs addressed in this Bug were terminated today June 25. Please see the parent Bug 1581597 for details. Thank you for your patience through the unexpected COVID-19 delays.
|
|
Assignee | |
Comment 6•4 years ago
|
||
Please see the parent Bug 1581597 for information regarding the auditor report validating QuoVadis’ performance of the key destruction procedures for 'QuoVadis Issuing CA G4'.
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 7•4 years ago
|
||
The "parent bug" to this has been marked resolved. Can this one be marked resolved as well?
|
|
Assignee | |
Comment 8•4 years ago
|
||
No update, other than a request to close this bug as revocation or key destruction of the referenced CAs was completed.
Many thanks.
|
|
||
Updated•4 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•