Closed Bug 1672208 Opened 4 years ago Closed 3 years ago

DFN-PKI: Finding in 2020 ETSI audit

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: brauckmann, Assigned: brauckmann)

Details

(Whiteboard: [ca-compliance] [uncategorized])

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36

Our auditor determined the following non-conformity (classified as "minor") in our ETSI audit 2020 conducted by TÜViT:

Auditor: Administration of outside firewalls shall be via dedicated administration network.
Clients used for the administration shall not be used for other purposes.

Reference: ETSI EN 319 401, REQ-7.8-08, -09 and REQ-7.4-03

Basically this issue is about assessing whether certain systems are in scope for the cited ETSI requirements or not.

Please note that the audit report and the corresponding audit attestation are not finalized yet.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

2020-08-12 The auditor informed us that they expect that the administration of the company's border firewalls shall be performed according to ETSI EN 319 401 REQ-7.8-08, -09 and REQ-7.4-03. We argued that these firewalls are outside the system boundary of the PKI systems and are thus not relevant to the requirements from ETSI.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2015-09 We introduced a dedicated admin network and clients for our PKI Systems. Border firewalls were left out as outside of our PKI system scope.

2016-02 ETSI EN 319 401 V2.1.1 came into force with requirements for dedicated network/dedicated client for administration of IT systems. Predecessor ETSI TS 102 042 did not contain these requirements in this form. Evaluation showed that no changes to our procedures were necessary as all firewalls that were part of the PKI-infrastructure were already operated according to these new requirements.

2020-08-12 The auditor informed as about their differing expectations regarding administration of said border firewalls during the on-premise audit.

2020-08-12 Started to evaluate if we could improve overall information security of the whole company by applying aforementioned ETSI requirements to border firewalls.

2020-08-24 Started to implement ETSI requirements for border firewalls

2020-10-19 We received a formal notification of our auditor that they consider this a "Minor Non-Conformity" (NC-B).

2020-10-20 Added incident report to Bugzilla

  1. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

The affected firewall systems are secured and only reachable from inside our network (although not via dedicated admin networks) by dedicated staff. The clients are secured administration systems operated by security-cleared personnel. As we did not consider these systems to be part of the PKI infrastructure, we however did not apply the ETSI requirements to them but our also very high company's general security standards. We are confident that these standards provide an adequate level of security already. We have thus not stopped certificate issuance.

By including the border firewalls to the scope of ETSI-compliant infrastructure, we will however ensure that the level of security can be formally assessed by the auditor using ETSI requirements in the future.

  1. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

Since the original finding by the auditor, as of 2020-10-19, 33301 certificates have been issued in the hierarchy under our sub CA "CN = DFN-Verein Certification Authority 2".

  1. In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

N/A

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The "outside firewalls" in question are systems at the outer boundary of our network, which comprises all departments and networks of our company, not only PKI-related networks. These firewalls are separating access from the public internet to our internal networks, among others also the PKI-network.

We have been running a dedicated administration network according to the requirements here in question for our PKI IT systems since 2015. These systems also include firewalls for separation of the PKI-infrastructure from the "outside world", which in this case ist not the open internet but the internal network of our company, which itself is separated from the open internet by the border firewalls now in question.

In our understanding, ETSI EN 319 401 did not require those outer firewall systems as being in scope. We thus did not apply the ETSI requirements regarding a dedicated administration network to those border firewalls. Our auditor disagreed this year, and specifically pointed out that ETSI applies to all firewall systems in the complete path from public networks to Certificate Management Systems, independent from zone definitions.

Please also note that operation of the firewalls in question has already been compliant with all requirements of Baseline Req's NetSec.

  1. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

Administrative access to those outside firewalls will be limited to an admin VLAN, accessible only via an ssh jump host from dedicated clients. Work is currently carried out to install the jump host and configure an admin VLAN. This work will be finished by 2020-11-30 at the latest.

We will update this report as remediation continues, including root cause analysis. This will include the evaluation of the company's inventory for other systems that shall be subject to PKI-related requirements without being part of the PKI's Certificate Management Systems, Certificate Systems or Security Support Systems.

Type: defect → task
Assignee: bwilson → brauckmann
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

Work is on track:

  • Administrative access to outside firewalls is limited as planned.
  • Evaluation and root cause analysis is still ongoing and will also be finished by 2020-11-30

Evaluation:
We cross-examined the company’s inventory with the asset list specific to the PKI information security management system (which has a yearly review cycle anyway). We did not find any further systems that we needed to add. The Firewall systems in question were already added to the list.

We examined the systems on the PKI asset list if we are applying all applicable requirements to all assets. We did not find any further
systems that need to be revised.

Root cause:
The cross reference from individual systems in our PKI asset list into the requirements lists failed in this case. We enhanced the cross referencing process by adding this aspect to the review cycle and are confident that we successfully approached the root cause.

We consider this issue resolved.

Unless there are additional comments or questions, I will close this as completed on or about 4-December-2020.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [uncategorized]
You need to log in before you can comment on or make changes to this bug.