Closed Bug 1606380 Opened 6 years ago Closed 6 years ago

Firmaprofesional: 2019 Audit Report Findings

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ryan.sleevi, Assigned: chemalogo)

Details

(Whiteboard: [ca-compliance] [audit-finding])

While performing the CP/CPS review for Firmaprofesional's new root in Bug 1102143, I was re-examining the audit statements, which included findings noted by AENOR, the auditor.

The purpose of this bug is to track closure of all of the findings, and for the CA to provide incident reports for them.

For each qualification that was already reported in Bugzilla, it is fine to just reference that Bugzilla Bug number, and finish resolving in that bug.

Findings

Finding #1 - 6.2 Identification and Authorization

It has been verified that, although the web application enables the revocation of certificates and prompt registration of the requests, in the rest of the cases (e.g. requests for revocation by email, telephone, etc.) no record of revocation request is kept. As a result, we could not find evidence that the status information of certificates is changed in less than 24 hours since a revocation request is received.

In addition, as indicated by the TSP, in some cases (e.g. request revocation by telephone) there is no explicit check to ensure the request revocation is originated by an authorized person. However, the TSP has stated that no cases of non-authorized revocation have happened during the audit period.

Finding #2 - 6.4 Facility, management, and operational controls

During the review of the log events it was noted that full access (read and write) to the audit logs is restricted to authorized individuals. However, the person who has been assigned the role of auditor does not have permissions on the system to review the logs, whilst a read-only access is expected for such an auditor profile.

Finding #3 - 6.6 Certificate, CRL, and OCSP profiles

Evidence has been found that shows authentication certificates meet the BRG requirements with the following exceptions:

Audit Issues not noted as findings

Unconstrained and Unaudited Sub-CA

Firmaprofesional currently has one sub-CA that is flagged for ALV intermediate validation error, due to not being noted within the scope of the audit.

The two certificates for this sub-CA are:

This intermediate is capable of TLS issuance, as defined by the BRs and Mozilla policy, and thus subject to policy and audit requirements.

Assignee: wthayer → chemalogo
Status: NEW → ASSIGNED
Whiteboard: [ca-compliance]

I'm on vacation until tomorrow and then we will begin to create the incident reports and its solution.

I've updated CCADB with appropiate data to solve the ALV intermediate validation error.

Additionally there was a mispelling in the URL of Standard and BR audits that has also been fixed.

Regarding Finding #3 - 6.6 Certificate, CRL, and OCSP profiles [...] Entropy for the SSL certificates issued by "AC Firmaprofesional - INFRASTRUCTURE" is only of 63 bits (64 bits is required). The TSP is aware of this situation (https://bugzilla.mozilla.org/show_bug.cgi?id=1538638) we provided an accurate plan to solve it last July with biweekly updates until we revoked all the effected certificates.

The ticket still remains open, but honestly I do not know why.

We are now working in the Incident Reports to findings #1 and #2.

Thank you for the update.

(In reply to chemalogo from comment #2)

The ticket still remains open, but honestly I do not know why.

I have reviewed and resolved bug #1538638

We are now working in the Incident Reports to findings #1 and #2.

Find an Incident Report on Finding #1 - 6.2 Identification and Authorization at bug #1610448

QA Contact: wthayer → bwilson

Apparently there were three findings and all of the corresponding bugs have been closed:
bug #1610448
bug #1612929
bug #1538638
So I believe this can be closed, too.

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.