Closed Bug 1649679 Opened 4 years ago Closed 4 years ago

Firmaprofesional: 2020 Audit Report Finding 2 out of 4

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mprieto, Assigned: mprieto)

Details

(Whiteboard: [ca-compliance] [audit-finding])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Steps to reproduce:

Annual audit

Actual results:

Findings were found

Expected results:

An unqualified audit report

#2 The contingency datacenter does not have the same security measures as the main datacenter, since it does not contain production services and the HSMs are not initialized. There are also no procedures for implementing similar access measures in the event of a contingency that requires using the contingency datacenter as the primary datacenter.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
    Due to the last eIDAS audit carried out in March 2020, it was observed that the Contingency CPD rack is located in a Housing Room shared with other clients. Only Firmaprofesional has access to that rack. The physical access to the rack is protected by a key controlled by the CPD provider maintenance team. It would be necessary to have a physical access control mechanism to the rack with exclusive control of Firmaprofesional and that allows an audit of the accesses.

  2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
    On 2020-04-14 13:43, this Non Conformity was registered in our JIRA (Ticketing System) and an action plan was established.
    On 2020-05, The supplier of the Contingency CPD (ADAM) is requested to install an intelligent rack access lock that allows configuring access with dual control.

  3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
    It does not apply.

  4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
    It does not apply.

  5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
    It does not apply.

  6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
    The Contingency CPD rack is located in a Housing Room shared with other clients. Only Firmaprofesional has access to that rack. The physical access to the rack is protected by a key controlled by the CPD provider maintenance team. It would be necessary to have a physical access control mechanism to the rack with exclusive control of Firmaprofesional and that allows an audit of the accesses. So, from our point of view this was secure enough.
    In any case we will fix this.

  7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
    Request an offer from a supplier.
    Implement the new physical access control

Type: defect → enhancement
Summary: Firmaprofesional: 2020 Audit Report Finding 1 out of 4 → Firmaprofesional: 2020 Audit Report Finding 2 out of 4
Assignee: bwilson → mprieto
Status: UNCONFIRMED → ASSIGNED
Type: enhancement → task
Ever confirmed: true
Whiteboard: [ca-compliance]

There have been no updates since this was reported, but it appears to discuss future plans. That's concerning, and I'm hoping you can share more.

I'm equally concerned that the existing physical security controls for your DR location were insufficient. This has, in the past, led to CAs being distrusted. I'm hoping you can add more detail as to why this shouldn't be seen as a critical security risk. I'm hoping that "and HSMs are not initialized" means no key material is stored on those HSMs. If that's the case, where/how is the key material stored and how does that fit into operationalizing the DR site? For example, if a disaster happened, would that require a physical visit to operationalize the DR site?

Flags: needinfo?(mprieto)

Dear Ryan,

Historically, in the main CPD we comply with exceptionally high physical security measures, not required by any standard. Maintaining these exceptional security measures has an extra cost for Firmaprofesional, however the management of Firmaprofesional decided to maintain this higher level of security not required for image reasons and to offer our clients an added value that offers them greater confidence.
It would be illogical to replicate these exceptional security measures in the disaster backup center.

The backup center is passive, for its activation the physical presence of several people is required to load the keys in the HSM following the security procedures.

Additionally, additional measures have been added to improve physical security regarding access to the Rack where the contingency teams are located.

Flags: needinfo?(mprieto)

exceptionally high physical security measures, not required by any standard

I'm not sure I understand this. We'd expect the same security controls required by the BRs and NCSSRs for your DR site as we would your CA. Have I misunderstood why they're seen as distinct? If anything, this sounds like a regression from the industry standard practices.

Flags: needinfo?(mprieto)

The security controls of our main datacenter exceeds the requirements of BRs and NCSSR.

In fact, the non-conformity is not that the contingengy dataceneter does not meet BRs and NCSSRs expectations but that the controls are not the same (level) of the main datacenter.

The only part that could be worrying is the physical access to the rack, since it does not required two people from Firmaprofesional to be present (at least two people of Firmaprofesional out of m is required to access the main datacenter).

In addition, the backup center is passive, for its activation the physical presence of several people is required to load the keys in the HSM following the security procedures.

And despite all of the above, we are seeking for solutions to implemented additional mesures for access.

Sincerely, in our opinion this is not a regression from the industry standard practices.

Are at least two people from Firmaprofesional required to access the DR datacenter? Do you have plans to make the physical access to the DR rack two-person? I'm a little unclear on the two-person controls in place for the DR location.

You are right, Ben: two people from Firmaprofesional are required to access the DR datacenter: at least one of the managers and at least one of the technical staff.

I believe this matter can be closed, which I'll do on or about 6-November-2020 unless there are additional issues or concerns.

Flags: needinfo?(mprieto) → needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.