Closed Bug 1614449 Opened 2 years ago Closed 2 years ago

SK ID Solutions: Audit Letter Validation failures on intermediate certificates

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: kristel.runnimeri)

Details

(Whiteboard: [ca-compliance] )

I am filing this bug because this CA responded to Action 5 of Mozilla's January 2020 CA Communication survey with: "We have no audit issues with our intermediate certificates identified by CCADB". However, ALV is reporting the following problems that the CA must investigate and resolve.

Audit Letter Validation (ALV) is providing the following results for this CA. For each of the certificates listed below, the CA needs to follow the "When ALV returns FAIL" section of https://wiki.mozilla.org/CA/Audit_Letter_Validation

Standard Audit ALV Found Cert	BR Audit ALV Found Cert	CA Owner/Certificate Name	SHA-256 Fingerprint

FAIL - EID-SK 2011 AC95A0FD7E0BF5E1BE6F02A042F0F09A657A7AE1272EDEC505AB6B9A6116782C
FAIL FAIL EID-SK 2011 D94EBA021D6E238901B4591D72F722AB5AF924F6A03198F0B28717CF848B03F4
FAIL - ESTEID-SK 2011 3864D6C1001F00C4AA81DCDB375E2A0B4DF8F28A1AA99FA1F38B74BCE82D5B18
FAIL FAIL ESTEID-SK 2011 62A8C84C0C161ECB0CE71DACB13D359939916788646A7D41E23ACA0FF9D29689

(In reply to Kathleen Wilson from comment #0)

EID-SK 2011 AC95A0FD7E0BF5E1BE6F02A042F0F09A657A7AE1272EDEC505AB6B9A6116782C
Extended Key Usage: ExtKeyUsageOCSPSigning,ExtKeyUsageClientAuth,ExtKeyUsageEmailProtection
EID-SK 2011 D94EBA021D6E238901B4591D72F722AB5AF924F6A03198F0B28717CF848B03F4
Extended Key Usage: (not present)
Derived Trust Bits: Server Authentication;Client Authentication

The above two certificates have the same Subject+SPKI as another certificate that is listed in the audit statement, with comment "does not issue any certificates from 2016"
EID-SK 2011 7B1666A7991CFC28B64DA371F17141DBD6F5321F21B83A1A658D6A410D374E05

My recommendation is that the above two non-audited versions of the certificate be revoked.

ESTEID-SK 2011 3864D6C1001F00C4AA81DCDB375E2A0B4DF8F28A1AA99FA1F38B74BCE82D5B18
Extended Key Usage: ExtKeyUsageOCSPSigning,ExtKeyUsageClientAuth,ExtKeyUsageEmailProtection
ESTEID-SK 2011 62A8C84C0C161ECB0CE71DACB13D359939916788646A7D41E23ACA0FF9D29689
Extended Key Usage: (not present)
Derived Trust Bits: Server Authentication;Client Authentication

The above two certificates have the same Subject+SPKI as another certificate that is listed in the audit statement, with comment "does not issue any certificates from 2015"
ESTEID-SK 2011 41EC808E33CCA8659EAEA81670D6C7DC01446636E1F227561B6307B80BA63862

My recommendation is that the above two non-audited versions of the certificate be revoked.

Kathleen: Am I correct in understanding that no one at skidsolutions.eu has a Bugzilla account set up to assign this to?

Flags: needinfo?(kwilson)

Ryan: I am from SK ID Solutions, so this bug can be assigned to me.
Kathleen: CA-s EID-SK 2011 and ESTEID-SK 2011 have been audited and they continue to be audited till they are valid. The comments to both of the CA-s say that no end-user certificates are issued under these CA-s, but servicing of the issued and valid end-user certificates still takes place. Therefore, we are not able to revoke EID-SK and ESTEID-SK certificates and as they are valid, they are audited by SK's conformity assessment body.

(In reply to Kristel Rünnimeri from comment #3)

Ryan: I am from SK ID Solutions, so this bug can be assigned to me.
Assigned this bug to Kristel

Kathleen: CA-s EID-SK 2011 and ESTEID-SK 2011 have been audited and they continue to be audited till they are valid.

Here's the 2019 audit statement:
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2019051701_SK_EE_Certification_Centre_Root_CA_s.pdf

I cannot find the four certs listed in this bug in this audit statement.

Therefore, we are not able to revoke EID-SK and ESTEID-SK certificates and as they are valid, they are audited by SK's conformity assessment body.

Then please provide the audit statements that list those 4 certs as being in scope of the audit.

See the "Acceptable remediation" section of https://wiki.mozilla.org/CA/Audit_Letter_Validation

References:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#53-intermediate-certificates
"All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program, MUST be operated in accordance with this policy and MUST either be technically constrained or be publicly disclosed and audited."
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#314-public-audit-information
"The publicly-available documentation relating to each audit MUST contain at least the following clearly-labelled information: ... Distinguished Name and SHA256 fingerprint of each root and intermediate certificate that was in scope;"

Assignee: wthayer → kristel.runnimeri
Flags: needinfo?(kwilson) → needinfo?(kristel.runnimeri)

We are currently investigating the issuance of ESTEID-SK 2011 and EID-SK 2011 certificates. We will inform you about the results and an action plan.

Flags: needinfo?(kristel.runnimeri)

This is to inform Mozilla that SK shall revoke EID-SK 2011 and ESTEID-SK 2011 certificates (in total 4 certificates) not provided in the audit statement on 27.02.2020.

SK has revoked EID-SK 2011 and ESTEID-SK 2011 certificates not included in the AVL on 27.02.2020. New EE Certification Centre Root CA CRL containing the revoked intermediate CA certificates is available at: https://www.skidsolutions.eu/en/repository/CRL/

Flags: needinfo?(kwilson)

The certs (doppelgangers) that were missing from the audit statements have been revoked and marked as "Ready to Add" to OneCRL.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(kwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.