QuoVadis: Failure to revoke within 7 days: OCSP EKU issue
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: stephen.davidson, Assigned: stephen.davidson)
Details
(Whiteboard: [ca-compliance] [ca-revocation-delay] [ocsp-failure])
Although we have made significant progress, we acknowledge that QuoVadis will not be able to revoke all CAs impacted by the issue referenced under Bug1649938 in the mandated period.
We will update our report within the week with additional details.
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 2•5 years ago
|
||
QuoVadis provides an update at Bug 1649938 on progress towards the replacement and eventual revocation/key destructions.
|
||
Comment 3•5 years ago
|
||
(In reply to Stephen Davidson from comment #2)
QuoVadis provides an update at Bug 1649938 on progress towards the replacement and eventual revocation/key destructions.
Why is that relevant?
This bug is about why you could not revoke within 7 days, what steps you are taking to fulfill that requirement in the BR in future, and to demonstrate how these steps will prevent this situation in future.
You have not come up with a single line about that in 17 days, leading to questions if you take this seriously at all. A CA that does not want to improve is not something I would want to rely on as a Firefox user.
And this is a very troubling pattern with QuoVadis. In both bug 1645708 and bug 1649880, you did not take the chance to either at least take a look at the certificate in question (you would have seen that both "none" and "Government Entity" were not correct as serialNumber) or research the BR's history instead of guessing its interpretation. At both incidents, it took me less than 10 minutes to figure that out, whereas you apparently did not even spend that time. If you do not take any time to look at the context of problems, it leads me to the conclusion that you do not want to improve at all.
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 4•5 years ago
|
||
A progress update has been provided at Bug 1649938.
The failure to revoke within 7 days was driven by the complexity of this bug, which involves 30 issuing CAs under the QuoVadis roots. The issuing CAs were not homogeneous, including both TLS and nonTLS as well as internal and externally operated CAs. All told the task requires the replacement of ~1.3 million end entity certificates. A project of this scale has required careful coordination to not create additional security harm in remediating the bug.
As far as addressing the root cause of the issue, QuoVadis ceased using the id-kp-OCSPSigning EKU in new issuing CAs in 2019. In terms of ongoing improvements, QuoVadis is part of DigiCert efforts to review existing practices in toto against standards such as the BR (on top of our rolling efforts for new ballots); to adopt standard certificate profiles and signoffs of CA ceremony documents; and to adopt automation tools to reduce and/or catch errors.
|
|
||
Updated•5 years ago
|
|
||
Comment 5•5 years ago
|
||
We have updated timelines for revocation posted here: https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c7
|
|
||
Comment 6•5 years ago
|
||
Another update on this bug was posted here: https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c8
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 7•5 years ago
|
||
Another update on this bug was posted here: https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c9
|
|
Assignee | |
Comment 8•5 years ago
|
||
A progress update is provided at: https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c10
|
|
Assignee | |
Comment 9•5 years ago
|
||
A progress update is provided at: https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c11. We will provide a next update on revocations and key destructions ~Nov 3.
|
|
Assignee | |
Comment 10•5 years ago
|
||
A progress update is provided at: https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c12.
|
|
Assignee | |
Comment 11•5 years ago
|
||
A progress update is provided at: https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c13
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 12•5 years ago
|
||
A progress update is provided at: https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c14. Although activity related to this bug continues apace, we suggest a next-update of January 7, 2021.
|
|
Assignee | |
Comment 13•5 years ago
|
||
QuoVadis is on track for the schedule described in https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c14. We suggest a next-update of January 7, 2021.
|
|
Assignee | |
Comment 14•5 years ago
|
||
QuoVadis is on track for the schedule described in https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c14. We suggest a next-update of January 22.
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 15•5 years ago
|
||
The final QuoVadis operated CAs have been revoked with key destruction. Further updates will be provided as available on the remaining Siemens operated CAs. See https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c17.
|
|
Assignee | |
Comment 16•5 years ago
|
||
We have no updates at this time; next steps are the completion of the audit report for key destructions of the QuoVadis-hosted CAs and revocation of the remaining Siemens CAs.
|
|
Assignee | |
Comment 17•5 years ago
|
||
On track per update at https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c19. We suggest a next-update of March 15.
|
|
Assignee | |
Comment 18•4 years ago
|
||
The remaining Siemens operated subCAs affected by this bug have been revoked, see more at https://bugzilla.mozilla.org/show_bug.cgi?id=1649938#c20
This concludes the CA revocations related to this bug.
|
|
||
Comment 19•4 years ago
|
||
I think this bug can be closed and the key destruction report from Siemens can be covered by Bugzilla Bug #1649938. I'll schedule this to be closed on or about next Wednesday, 31-March-2021.
|
|
||
Updated•4 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Description
•