Closed Bug 1614448 Opened 1 year ago Closed 10 months ago

GRCA: Audit Letter Validation failures on intermediate certificates

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: gpki)

Details

(Whiteboard: [ca-compliance])

I am filing this bug because this CA responded to Action 5 of Mozilla's January 2020 CA Communication survey with: "We have no audit issues with our intermediate certificates identified by CCADB". However, ALV is reporting the following problems that the CA must investigate and resolve.

Audit Letter Validation (ALV) is providing the following results for this CA. For each of the certificates listed below, the CA needs to follow the "When ALV returns FAIL" section of https://wiki.mozilla.org/CA/Audit_Letter_Validation

Standard Audit ALV Found Cert	BR Audit ALV Found Cert	CA Owner/Certificate Name	SHA-256 Fingerprint
FAIL	FAIL	行政院醫事憑證管理中心 (HCA)	A05EE43E556C8C2A38766D0377FB486806D169EA195E69CD873381D8EAB7DFCD
FAIL	FAIL	行政院醫事憑證管理中心 (HCA)	A8B4863230F40A263327965F43F5C00752B531ED7DF9B21DC7E74B6E911AE4A8
FAIL	FAIL	行政院內政部憑證管理中心 (MOICA)	45111450FB31EF5137E4B7CFF9EE2BEF23E8BBFD165086DFBD93DF2F329B785E
FAIL	FAIL	行政院政府憑證管理中心 (GCA)	5E9FCCB153C7802BAB1B5F5015C6643A8BD18CCEFCAACEDFBAD46E21D67C3D5B
FAIL	FAIL	行政院內政部憑證管理中心 (MOICA)	C4C462DE463F856804DC898338D2CECB55FBA74155851599D8FB7D70218FD1BE
FAIL	FAIL	Government Root Certification Authority 2 - Taiwan (New-with-Old SHA256 with no OV OID)	72AC428BB715DF5DC1AF87579308E8CC2EBFA588686B567292FD70EEB0FEE8B7
FAIL	FAIL	Government Root Certification Authority 2 - Taiwan (New-with-Old SHA1)	D87AAD615FE7C2385032244D08CDFE06EB005675AA1892D6E5B82780F19FB87F
Assignee: wthayer → gpki
Flags: needinfo?(gpki)

I have discussed with my auditor(KPMG).
For these existing audit statements issued in 2019, I add a comment to the "Standard Audit ALV Comments" or "BR Audit ALV Comments" fields.
Our auditor will follow the formatting requirements.
These formatting problems will be fixed in the next annual audit statement.

Please let me know if you have any other suggestions.

Thank you.

Flags: needinfo?(gpki)

(In reply to National Development Council from comment #1)

I have discussed with my auditor(KPMG).
For these existing audit statements issued in 2019, I add a comment to the "Standard Audit ALV Comments" or "BR Audit ALV Comments" fields.
Our auditor will follow the formatting requirements.
These formatting problems will be fixed in the next annual audit statement.

Please let me know if you have any other suggestions.

I am not finding these three in any audit statements. Please point me to the audit statements that list these as having been in scope of the audit.

  1. 行政院政府憑證管理中心 (GCA) 5E9FCCB153C7802BAB1B5F5015C6643A8BD18CCEFCAACEDFBAD46E21D67C3D5B
  2. Government Root Certification Authority 2 - Taiwan (New-with-Old SHA256 with no OV OID) 72AC428BB715DF5DC1AF87579308E8CC2EBFA588686B567292FD70EEB0FEE8B7
  3. Government Root Certification Authority 2 - Taiwan (New-with-Old SHA1) D87AAD615FE7C2385032244D08CDFE06EB005675AA1892D6E5B82780F19FB87F
Flags: needinfo?(gpki)

It is possible that this bug is redundant with Bug #1463975. I will follow up in that bug first.

Flags: needinfo?(gpki)

(In reply to Kathleen Wilson from comment #2)

(In reply to National Development Council from comment #1)

I have discussed with my auditor(KPMG).
For these existing audit statements issued in 2019, I add a comment to the "Standard Audit ALV Comments" or "BR Audit ALV Comments" fields.
Our auditor will follow the formatting requirements.
These formatting problems will be fixed in the next annual audit statement.

Please let me know if you have any other suggestions.

I am not finding these three in any audit statements. Please point me to the audit statements that list these as having been in scope of the audit.

  1. 行政院政府憑證管理中心 (GCA) 5E9FCCB153C7802BAB1B5F5015C6643A8BD18CCEFCAACEDFBAD46E21D67C3D5B
    We add B.R CP OID and update GCA certificate in July 19, 2017 in the original Key. This certificate is the old one before we update GCA certificate. We have stopped using it.
  1. Government Root Certification Authority 2 - Taiwan (New-with-Old SHA256 with no OV OID) 72AC428BB715DF5DC1AF87579308E8CC2EBFA588686B567292FD70EEB0FEE8B7
  2. Government Root Certification Authority 2 - Taiwan (New-with-Old SHA1) D87AAD615FE7C2385032244D08CDFE06EB005675AA1892D6E5B82780F19FB87F
    These two Self-Issued Certificates were used to build trust path between old and new root. However, we built another trust path and stopped using these two certificates since July 19, 2017. These 2 certificates are no longer need for public.

We have requested Our auditor to review such status and will provide an supplement description with these three certificates in original audit statement.

Do you have any update on the status of your request to your auditor for a supplemental description?

Flags: needinfo?(gpki)
QA Contact: wthayer → bwilson
Whiteboard: [ca-compliance] → [ca-compliance] - Next Update - 1-June 2020

(In reply to Ben Wilson from comment #5)

Do you have any update on the status of your request to your auditor for a supplemental description?

The updated audit statements are below:
GPKI WebTrust CA
http://grca.nat.gov.tw/download/Audit/GRCA_GCA_XCA_WTCA_Audit_Report_2020.pdf

GPKI BR
http://grca.nat.gov.tw/download/Audit/GRCA_GCA_XCA_BR_Audit_Report_2020.pdf

Flags: needinfo?(gpki)
Status: NEW → ASSIGNED

I have confirmed that these updated statements include the missing certificates listed in comment #2. However, CCADB is still showing failures because these updated statements have not been processed.

GRCA: please [create a new audit case[(https://www.ccadb.org/cas/updates) in CCADB and submit these updated audit statements.

Flags: needinfo?(gpki)

It looks like a new audit case (00000622) was created in the CCADB on 29-June-2020.

Do you have URL links to KPMG's website where the two audit reports are saved?
I want to run the ALV process so I don't get an error "AuditLocation=Fail" for those audits.

I believe that these roots are being removed from the Mozilla Root Store and that at the appropriate time this bug should be closed.

Flags: needinfo?(gpki) → needinfo?(bwilson)
Whiteboard: [ca-compliance] - Next Update - 1-June 2020 → [ca-compliance]

I agree that this bug should be closed, because the root cert that Mozilla has included for this CA is being removed via Bug #1656077.

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.