Closed Bug 1651487 Opened 4 years ago Closed 3 years ago

Telekom Security: Delayed Revocations of Sub-CA certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Arnold.Essing, Assigned: Arnold.Essing)

Details

(Whiteboard: [ca-compliance] [ca-revocation-delay])

Attachments

(2 files)

AA2020102201_Key_Destruction_PKS_CA8.pdf
442.47 KB, application/pdf
Details
AA2020112305_Key_Destruction_cPKI_CAs.pdf
449.08 KB, application/pdf
Details

Telekom Security requires more than seven days to revoke the certificates affected by https://bugzilla.mozilla.org/show_bug.cgi?id=1649941 (“T-Systems: Incorrect OCSP Delegated Responder Certificate”). The decision to not revoke the affected certificate within seven days is based on the disruptive impact this would have on our subscribers. There are currently more than 230.000 S/MIME and smartcard authentication certificates affected by this problem, which will require up to five months to be reissued under a new Issuing CA.

We will provide an update to this Bugzilla within the following week.

Assignee: bwilson → Arnold.Essing
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [delayed-revocation-ca]

Arnold Essing is currently not available so other team members will be providing updates to this Bugzilla on his behalf and until his return.

This week, further information regarding the delayed revocation was mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1649941

You will hear from us at the latest next Friday.

Whiteboard: [ca-compliance] [delayed-revocation-ca] → [ca-compliance] [delayed-revocation-ca] Next update 24-July-2020

The migration was started this week as planned for all of the affected CAs. Updates will be provided at least once a week.

On July 14, 2020 the new CA "Deutsche Telekom secure email CA E03" was put into operation. On July 20, 2020 the active user migration was started. Until today, new certificates have been issued on the new SubCA for approx. 11,000 users.
Approximately 110,000 users are affected (each user gets two certificates).
Our user migration plan:
until 2020-08-01: 10%.
until 2020-09-01: 35%
until 2020-10-01: 60%
until 2020-11-01: 85%
until 2020-11-15: 100%

Whiteboard: [ca-compliance] [delayed-revocation-ca] Next update 24-July-2020 → [ca-compliance] [delayed-revocation-ca] Next update 1-Sept-2020

All 2.130 EE certificates (all SMIME) from "TeleSec PKS CA 8" were revoked on August 19, 2020. "TeleSec PKS CA 8" itself was revoked on August 20, 2020 and the key material was destroyed in the presence of the external auditor on August 25, 2020.
For the other 4 affected CAs the user migration is ongoing and on target. Until today, new certificates have been issued on the new SubCA for approx. 40.000 users. That are 36 % of the affected 110.000 users.

Whiteboard: [ca-compliance] [delayed-revocation-ca] Next update 1-Sept-2020 → [ca-compliance] [delayed-revocation-ca] Next update 2-Oct-2020

For the remaining 4 affected CAs the user migration is ongoing and on target. Until today, new certificates have been issued on the new SubCA for approx. 69.000 users. These are 62 % of the affected 110.000 users.

When will you be providing key destruction reports for the CAs in Comment #4?

Is the timeline on track for comment #3?

Flags: needinfo?(Arnold.Essing)

We will provide the key destruction report for "TeleSec PKS CA 8" as soon as we receive it from our auditor, which should be within this week.

Regarding the user migration of the 110.000 affected users, we are still on target. We plan to provide the next update by the end of this month.

Flags: needinfo?(Arnold.Essing)

We received the key destruction report for "TeleSec PKS CA 8" from our Auditor and attached it here.
It should also be available under the following link very soon.
https://www.tuvit.de/en/services/certification/audit-attestations-according-to-cabrowser-forum-requirements/

For the remaining 4 affected CAs the user migration is ongoing and on target. Until today, new certificates have been issued on the new SubCA for approx. 101.00 users. These are 92 % of the affected 110.000 users.

The key destruction in the presence of the external auditor for the remaining 4 affected CAs is planned for mid November 2020.

All EE certificates from the remaining 4 affected CAs were revoked on November 10th, 2020.

The remaining 4 affected CAs were:
Deutsche Telekom AG Issuing CA 01 https://crt.sh/?id=40463077
Deutsche Telekom AG secure email CA E02 https://crt.sh/?id=2517734973
Deutsche Telekom AG secure email CA SN: 75 81 aa 9f 98 30 a3 ab bf 5b b6 9f 84 d8 56 (name constrained)
Deutsche Telekom AG secure email CA SN: 15 31 b1 a1 34 7c 85 a9 7a 37 f6 0e bb 50 fd 86 (name constrained)

These CAs were revoked on November 12th, 2020 and the key material was destroyed in the presence of the external auditor also on November 12th, 2020.
We will provide the key destruction report as soon as we receive it from our auditor.

Whiteboard: [ca-compliance] [delayed-revocation-ca] Next update 2-Oct-2020 → [ca-compliance] [delayed-revocation-ca] Next update 2020-12-01

We received the key destruction report for the remaining 4 affected CAs from our Auditor and attached it here.
It should also be available under the following link very soon https://www.tuvit.de/en/services/certification/audit-attestations-according-to-cabrowser-forum-requirements/

I believe that this matter can be closed and intend to do so next week (Dec. 7-11) unless there are additional issues.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] [delayed-revocation-ca] Next update 2020-12-01 → [ca-compliance] [ca-revocation-delay]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: