Closed Bug 1672562 Opened 5 years ago Closed 5 years ago

Camerfirma: Incorrect disclosure of Intesa Sanpaolo sub-CA

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: agwa-bugs, Assigned: ana.lopes)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Camerfirma has disclosed the "Intesa Sanpaolo Organization Validation 2019 CA" sub-CA (https://crt.sh/?sha256=C3E3C2DEE11BF8CFEA56FD5900AFE95CD438D7391DCA55A07BFF44147A35A828) as having the same CP/CPS as parent but with its own audits.

The audit statement (https://www.csqa.it/getattachment/Sicurezza-ICT/Documenti/Attestazione-di-Audit-secondo-i-requisiti-ETSI/2020-03-CSQA-Attestation-Intesa-SSL-rev-2-2020-4364-signed.pdf.aspx?lang=it-IT) states that the CP/CPS referenced during the audit is "Certificate Practice Statement Intesa Sanpaolo Organization Validation CA". This is not the same as the parent's CP/CPS.

Assignee: bwilson → ana.lopes
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

Hi All,

We have been reviewing the information related to "Intesa Sanpaolo Organization Validation 2019 CA" sub-CA published on CCADB and Andrew was right, the correct CPS that should be referred is their own CPS, whose last version nowadays is 1.6: http://ca.intesasanpaolo.com/portalIden0/identity/doc/ISP-CBCM-2020-1.6%20CPS%20ISP%20Organization%20Validation_edited_%20LR_EB_.pdf

Please find below the incident report.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

We were aware of the problem on October 22nd because of the bug 1672562 opened by Andrew Ayer on October 21st.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

We have reviewed all the information published on CCADB and we have corrected the mistake (Oct 22nd)
We have included the correct link to the last version of the CPS for Intesa San Paolo: http://ca.intesasanpaolo.com/portalIden0/identity/doc/ISP-CBCM-2020-1.6%20CPS%20ISP%20Organization%20Validation_edited_%20LR_EB_.pdf (Oct 22nd)

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

No certificates with probleman were issued, in this case this issue was due to an administrative error that does not affect the certificates at all.

The CA Intesa Sanpaolo Organization Validation 2019 CA performed all the audits in time and updated the CPS in a timely manner.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
    N/A

  2. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
    N/A

  3. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

This problem has been registered because of a human error during the updating of the data on CCADB. Probably, the last changes registered regarding the CPS were not saved correctly.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

After reading the bug, we reviewed the data that appears on CCADB about this SubCA and we corrected the problem immediately. From now on, we will review all the information published on CCADB every time we change something to avoid possible errors during the information updating process.

There is no update regarding this matter from our part since 2020-10-22.

Do you consider this bug could be closed or do you need extra information about it?

Flags: needinfo?(bwilson)

We do not have any more information to provide for this bug.
Ben, please, let us know if you need anything else from our part to close it.

I'll schedule to close this bug on or about 22-Jan-2021 unless there are any other issues to discuss.

Ok, thank you Ben. We do not have more updates to add.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.