Closed Bug 1626805 Opened 4 years ago Closed 4 years ago

FNMT: Minor non-conformities in 2020 audit statement

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: alain)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Attachments

(2 files, 8 obsolete files)

2020 AENOR Anexo 1 ETSI 319 411-2 PSC-2019-003 - FNMT-v2.pdf
477.80 KB, application/pdf
Details
2020 AENOR Anexo 2 ETSI 319 411-1 PSC-2019-003 - FNMT-v2.1 (002).pdf
967.53 KB, application/pdf
Details

This bug is to track resolution to the items that were identified as "findings" in this CA's 2020 audit statement, which is here:

https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%201%20ETSI%20319%20411-2%20PSC-2019-003%20-%20FNMT-v0.1%20-%20rev4.pdf

Ángel, Please:

  1. Provide a timeline for when each of the findings will be resolved.
  2. Provide an Incident Report for the areas of non-compliance.
    https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

Note that the audit statement says: "All the minor non-conformities have been scheduled to be addressed in the corrective action plan of the Trust Service Provider. No critical non-conformities were identified."

Please find herewith incident report for the findings in AENOR period Audit report “Appendix to the Certificate for Trust Service Provider: PSC-2019-003” for the period January 13th, 2019 until January 12th, 2020.

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
#1 During the annual on-site audit, which took place from the 27 to 30 January, we were informed that although we had not started to provide the related services, we should publish both the “AC Sector Público” and “AC Unidades de Sellado de Tiempo” CPSs.
#2 Standard ETSI EN 319 411-2 was updated with new requirements. The Technical TSP Committee checks periodically the standards published related to requirements that apply to the TSP activity and became aware of such new requirements and the need to modify CRLs profiles on March 19, 2019.
#3 FNMT became aware of the problem via the periodic Audit carried out on January 2019. Personnel performing the validation functions have enough proven experience with the validation procedures and receive periodic training for the execution of their tasks. The validation specialist profile was already defined and the employees performing the validation functions assigned by the TSP Management Committee. However, we are still missing the formal assignment document for such trusted roles.
#4 On January the 27, during the annual on-site audit it was identified that there were some events that were being logged and monitored in aggregate. Also, it was made clear that there were some rules in SIEM that could be refined and better adjusted to the needs of the TSP activity.
#5 During the annual on-site audit, which took place from the 27th to 30 January, it was evidenced that in order to attend to certain incidents, the assigned trusted roles use a safe case installed inside the PKI Data Centre to store the envelopes containing the access codes, during the resolution of the said incident. This safe case could be accessible to the other trusted roles with access to the PKI Data Centre. In any other situation, the dual control is firmly guaranteed as the audit team was able to verify in situ.
#6 In February 2019, after completing and implementing the corrective actions referred in bug 1495507.
#7 FNMT became aware of the problem via the periodic Audit carried out on January 2019. Since then we are working in improving accessibility in our websites.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
#1

  • November 11, 2019: Creation of the CPS document for both “AC Sector Público” and “AC Unidades de Sellado de Tiempo”
  • November 28, 2019: CA Key generation ceremony
  • January 20, 2020: TSP Management Committee meeting to approve both CPS documents.
  • January 30, 2020: During the Audit final results presentation meeting, we were informed about the convenience of publishing both CPS even when the service is not provided yet.
  • February 24, 2020: Official communication to the National Supervisory Body to inform about the new CPS for “AC Sector Público” and “AC Unidades de Sellado de Tiempo”, among other issues.
  • March 3, 2020: TSP Management Committee meeting to approve the publication of the related CPS and CA intermediate certificates in the corresponding official repositories:
    https://www.sede.fnmt.gob.es/dpcs
    https://www.sede.fnmt.gob.es/descargas/certificados-raiz-de-la-fnmt
    #2
  • March 19, 2019: The Technical TSP Committee become aware of the ETSI EN 319 411-2 last version published. Begins to analyse what changes need to be made and the impact would have on our customers
  • May 16, 2019: The Technical TSP Committee contacts the CA software supplier in order to evaluate the potential different solutions and reports the TSP Management about the need to include the extension “ExpiredCertsOnCRL” on the CRLs profile.
  • June 10, 2019: The manufacturer inform us that the recommended value of “99991231235959Z” for the nextupdate field of the Last CRL cannot be implemented within our CA software
  • July 2, 2019: The Technical TSP Committee proposes as best solution to issue a Last CRL generated with a nextUpdate value set to the date of the expiration of the CA, since once the CA expires, the CRL signature cannot be validated either.
  • November 20, 2019: Changes in CRL profiles are made first in the pre-production environment in order to evaluate the impact among our users, especially among the Spanish Public Administrations.
  • January 20, 2020: TSP Management Committee meeting to decide the measures to be taken for guaranteeing the availability of the information on the status of the certificates beyond its caducity. Once the impact has been analysed, it is agreed to issue a Last CRL with nextupdate value set to the expiration date of each CA and consult the National Supervisory Body in case it is going to establish provisions in this regard.
  • January 21, 2020: The TSP Management Committee asks the National Supervisory Body information about the provisions, if any, which will be taken in relation to this issue. (ETSI EN 319 411-2 CSS-6.3.10-05 - NOTE 2 : The ad-hoc Trusted List expiredCertsRevocationInfo Extension [i.8], specifying that the TSP keeps expired certificates in CRLs, can be set by the supervisory body in charge of the TSP in complement to)
  • March 3, 2020: Approval and Publication of the General CPS v5.6 (https://www.sede.fnmt.gob.es/documents/10445900/10536309/dgpc_english.pdf) which includes the required information. Specifically states the following: “in case of termination of the activity and / or commitment of keys of the CA, to guarantee the availability of the information on the status of the certificates, a last CRL will be generated and will remain intact and available for consultation for at least 15 years since its publication.” Therefore complying with requirement 6.3.9 (6) of ETSI EN 319 411-1
  • Additionally it is decided to implement the new CRL profiles to meet the requirements of ETSI EN 319 411-2, gradually per CA in order to reduce interoperability issues and impact among our users.
    #3
  • February 14, 2019: The TSP Management Committee refers the document to the FNMT Human Resources Department for the formalization of the assignment document.
  • April 29, 2019: The Head of the FNMT Human Resources Department ceased to function and the appointment of a new one is postponed for not having a fully-fledged government.
  • February 4, 2020: Appointment of the new general director of the FNMT. A new Head of the FNMT Human Resources Department is expected to be appointed soon.
    #4
  • February 3, 2020: Begins to review the correct sending and receiving of the main business events to create different and unique categories for the events related to the TSP activity and later extending it to the other significant events on the platform.
  • February 5, 2020: Begins to evaluate the redefinition of the rules and configuration of SIEM together with the software supplier
    #5
  • February 5, 2020: Redefinition of the procedure for the custody of envelopes containing access smartcards and passwords while it’s necessary to keep them in the safe case installed in the PKI Data Centre.
    #6
  • February 6, 2019: Revision of QCP-l and QCP-n certificate profiles.
  • March 25, 2019: The Technical TSP Committee, evaluates the impact of the adjustment of length for certain fields, (e.g givenName) that may affect the good development of the electronic public administration in terms of interoperability.
  • May 30, 2019: The TSP Management Committee approves the implementation of technical controls (subject:organizationName y subject:organizationalUnit) for the pre issuance validations for the QCP-l issued by AC Componentes Informáticos.
  • June 4, 2019: Controls implemented in the PKI software validation component in pre-production for testing.
  • June, 6, 2019: Controls implemented in the PKI software validation component in production.
    #7
    March 1, 2019: Quarterly web accessibility evaluation are carried out centralised by Ministerio de Hacienda in order to verify the level of compliance with WCAG.
    June 3, 2019: The support company for the content manager software, has been commissioned to conduct an evaluation report on deviations regarding accessibility and its possible solution with preliminary tests in our test environment. The suitability of the solutions proposed will have to be also assessed in terms of compatibility and usability.
    November 4, 2019: Begin configuring the web services based on the result of the analysis performed in terms of accessibility, for general improvement of the accessibility of websites, particularly https://www.sede.fnmt.gob.es and https://www.cert.fnmt.es

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
#1 Neither “AC Sector Público” nor “AC Unidades de Sellado de Tiempo” are providing services yet. We will start proving services once the National Supervisory Body updates the corresponding TSL.
#2 We do continue to issue certificates whose CRLs do not include yet the ExpiredCertsOnCRL extension (specific requirement of ETSI EN 319 411-2) due to interoperability issues with the Spanish Public Administration.
#3 We have not stopped issuing QCP-w. The functions of the “validation specialist” are carried out by the assigned FNMT employees who have demonstrated the required capacity, professionalism, training and experience as the audit team has been able to verify.
#4 We do continue to issue certificates since the issuance of certificates is not directly affected and there is no security breach.
#5 We do continue to issue certificates since the issuance of certificates is not directly affected and there is no security breach.
#6 Since June 6, 2019, no QCP-l have been issued with subject:organizationName or subject:organizationUnit bigger than 64 characters.
#7 We do continue to issue certificates since the issuance of certificates is not directly affected and there is no security breach.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
#1 There are no certificates issued. The services are not yet provided
#2 Currently all CAs continue to issue CRLs without the ExpiredCertsOnCRL extension (specific requirement of ETSI EN 319 411-2)
#3 Certificates are not directly affected
#4 Certificates are not directly affected
#5 Certificates are not directly affected
#6 It is identified one QCP-l issued by AC Componentes Informaticos on May 27‎ ‎2019 15:10:09
#7 Certificates are not directly affected

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
#1 There are no certificates issued. The services are not yet provided
#2 Currently all CAs continue to issue CRLs without the ExpiredCertsOnCRL extension (specific requirement of ETSI EN 319 411-2)
#3 No certificates are directly affected
#4 No certificates are directly affected
#5 No certificates are directly affected
#6 https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=188298443
#7 Certificates are not directly affected

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
#1 To avoid raising false expectations in customers, the TSP Management Committee decided not to publish the CPS nor the intermediate certificates before starting the provision of the service. Services will be provided once they get included in the EU TSL. Finally CPSs and certificates were published on March 3, 2020.
#2 Errors are related to compliance with new requirements published in a new version of the TSI standard which were not identified in time since the review periodicity of applicable ETSI standards updates was annually
#3 The formalization of the assignment document for the validation specialist trusted roles has been delayed in the absence of the Head of FNMT Human Resources Department.
#4 The issue resulted from a misconfiguration of the generic categorizer of the sources of the PKI software in which these events were framed. In regards the definition of the SIEM rules, indicate that it was installed with a standard configuration to subsequently undergo a review process by the software supplier. At the date of the audit, the evaluation had not been completed and SIEM was in the process of being redefined and improved.
#5 To reduce response time to incidents related with the availability of services, it was agreed to enable a safe case inside the PKI Data Centre itself to allow its use by the trusted roles. This measure was only used for specific situations and always for the time strictly necessary.
#6 Deviations from RFC5280 have been produced by including in the certificates the exact data as per the official Spanish records. Upperbounds defined for some fields are not adequate to allow data integrity and accuracy, which are essential for interoperability among the Spanish administration and ultimately for the correct identification of individuals.
#7 Although follow up actions have been taken since 2019, there are still some accessibility issues to be improve. The accessibility compliance is focused as a continuous process of improvement which also requires periodic review assessments in terms of compatibility.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
#1 The TSP Management Committee has agreed to modify the protocol for publishing CPSs and new certificates. From now on, CPSs will be immediately published after receiving the “Ceremony Audit Report for CA key generation”, for any new service. The new services will be provided once the National Supervisory Body includes the services in the corresponding TSL.
#2 We expect to be able to implement changes in production (CRLs including the ExpiredCertsOnCRL - specific requirement of ETSI EN 319 411-2- extension with value set to the NotBefore of the CA) on April 6 and April 13 2020. In addition, the periodicity of the revisions of ETSI standards updates will be from now on quarterly.
#3 The TSP Management Committee has expressed to the FNMT Human Resources Department the urgency and need to speed up and shorten the process as far as possible, so that we can have the assignment document duly signed in the shortest time.
#4 By May 2020 it is expected to be implemented the agreed improvement plan in QRadar which includes the following actions:

  • Redefinition and creation of specific categories for the PKI software font types.
  • Exhaustive and periodic review of the correct sending and receiving of main business events, specifically after the QRadar update.
  • Increase and redefine categories of the events that are sent to the SIEM to incorporate those that are necessary.
  • Adjustment and continuous revision of the specific use cases developed for the TSP activity.
    #5 To solve the issue in those exceptional cases (cards kept temporally in the PKI Data Centre’s safe case), it has been agreed to guard the cryptographic material (card) physically separated from the password to access the said card. This password will be delivered and guarded by the person who holds the trusted role and uses such material. In this way, the card cannot be used without the participation of the assigned trusted roles.
    #6 Measures in regards the QCP-l have been already implemented on June 2019.
    #7 We are still working on the correction of some issues. The next step will be the implementation in the production environment of the latest improvements already identified and implemented in the pre-production environment. The next set of improvements is expected to be completed by end of April 2020.

Please be informed that steps to solve pending findings have been successfully implemented and completed.
#2 On April 6 2020, the ExpiredCertsOnCRL extension has been included first in CRLs for the following CAs

  • AC RAIZ Servidores Seguros
  • AC Servidores Seguros Tipo 1
  • AC Servidores Seguros Tipo 2
  • AC Unidades de Tiempo
  • AC Sector Público.

On April 13 2020, we completed the implementation for the rest of CAs:

  • AC RAIZ FNMT
  • AC Admisnitracion Pública
  • AC Usuarios
  • AC Componentes Informáticos
  • AC Representación.

#4 On April 28 new types of sources were created and modified accordingly so that all events are properly categorized. This topic has been considered as a continuous task and therefore daily reviews have been programmed to verify that no new events remain without being properly classified.

Test Preliminary Audit Reports to correct ALV errors

Test Preliminary Audit Reports to correct ALV errors

Attachment #9147884 - Attachment is obsolete: true
Attachment #9147883 - Attachment is obsolete: true
Attachment #9150727 - Attachment is obsolete: true
Attachment #9150731 - Attachment is obsolete: true
Attachment #9151018 - Attachment is obsolete: true
Status: NEW → ASSIGNED
QA Contact: wthayer → bwilson

(In reply to Brox from comment #2)

Please be informed that steps to solve pending findings have been successfully implemented and completed.

Thank you for this update. Have all steps listed in response to question #7 in comment #1 been completed?

#2 On April 6 2020, the ExpiredCertsOnCRL extension has been included first in CRLs for the following CAs

  • AC RAIZ Servidores Seguros
  • AC Servidores Seguros Tipo 1
  • AC Servidores Seguros Tipo 2
  • AC Unidades de Tiempo
  • AC Sector Público.

On April 13 2020, we completed the implementation for the rest of CAs:

  • AC RAIZ FNMT
  • AC Admisnitracion Pública
  • AC Usuarios
  • AC Componentes Informáticos
  • AC Representación.

#4 On April 28 new types of sources were created and modified accordingly so that all events are properly categorized. This topic has been considered as a continuous task and therefore daily reviews have been programmed to verify that no new events remain without being properly classified.

Flags: needinfo?(santiago.brox)

(In reply to Wayne Thayer from comment #10)

Steps listed in response to question #7 in comment #1 have been completed.
In regards finding #7, as it is referred to a continuous improvement process, please be informed we have developed a new set of improvements which have been already implemented in pre-production environment, and which we expect to be in production by the end of June.

Flags: needinfo?(santiago.brox)

Ben: since all the original remediations have been completed, I think this is ready to resolve, but wanted to check with you?

Flags: needinfo?(bwilson)

I am satisfied that for purposes of the Mozilla Root Program, FNMT has adequately responded to the audit findings and will close this bug.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Attached file test report 411-1 (obsolete) —
Attachment #9151022 - Attachment is obsolete: true
Attachment #9160014 - Attachment is obsolete: true
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: