Closed Bug 1677631 Opened 5 years ago Closed 3 years ago

Add Autoridade Certificadora do Serpro SSLv1

Categories

(CA Program :: CA Certificate Root Program, task, P2)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: bwilson, Assigned: bwilson)

Details

(Whiteboard: [ca-in-discussion] 2022-11-17)

Attachments

(16 files, 4 obsolete files)

SERPRO_Audit_Report.pdf
301.62 KB, application/pdf
Details
AC_SERPRO_SSL_Self_Assessment.ods
70.81 KB, application/vnd.oasis.opendocument.spreadsheet
Details
100_-_AC_SERPRO_SSL_RKGC_Audit_Report.pdf
298.67 KB, application/pdf
Details
101_-_AC_SERPRO_SSL_Webtrust_for_CA_-_Point_in_Time_Audit_Report.pdf
315.39 KB, application/pdf
Details
102_-_AC_SERPRO_SSL_Webtrust_BR_SSL_and_Network_Security_-_Point_in_Time_Audit_Report.pdf
308.15 KB, application/pdf
Details
11_-_AC_SERPRO_SSL_Webtrust_for_CA_-_Period_of_Time_Audit_Report_-_versão_10122020-assinado.pdf
299.07 KB, application/pdf
Details
Update CA Certificate Download URL
76 bytes, text/plain
Details
CP_SERPRO_SSL_CA.pdf
345.12 KB, application/pdf
Details
CPS_SERPRO_SSL_CA.pdf
1.35 MB, application/pdf
Details
Personal Data Protection Principles.pdf
195.80 KB, application/pdf
Details
The
249.51 KB, application/pdf
Details
01 - Relatório Webtrust for CA - SERPRO 2021 - signed.pdf
387.15 KB, application/pdf
Details
WebTrust Trademark Agreement PKI Contabilidade e Auditoria Ltda.pdf
1.91 MB, application/pdf
Details
AC SERPRO - WebTrust for SSL Baseline with Network Security Report-Management Assertion_SIGNED.pdf
516.93 KB, application/pdf
Details
AC SERPRO - WebTrust for SSL Baseline with Network Security Report-Management Assertion V2.pdf
274.76 KB, application/pdf
Details
Value vs Risk_SERPRO_SSL_CA.pdf
179.73 KB, application/pdf
Details

CCADB Case for this request has been opened here:
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000680

Initial Notes:

A Baseline-Requirements Self-Assessment needs to be submitted. Please download and use this: https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing. (See the CPS Review Items listed at the bottom of this Bug Comment)

Do you have “CA Email Alias”? (an email distribution list for important communications from browsers and others?) If so, what is it?

What are your recognized CAA domains?

Is there a “problem reporting” email address that is closely monitored for reporting suspected Private Key Compromise and to request rapid revocation?

I have uploaded your audit letter, but all CA certificates need to be reported by their SHA256 hash, uppercase letters, no spaces or colons, and all on one line. Here is the error we received when running the current audit letter through our Audit Letter Validation (ALV) program: “The thumbprint of R00001434 is not found”. There was only one CA listed in your audit, but all subordinates that are capable of issuing SSL certificates must be listed.

Also, whenever an audit letter is submitted for Baseline Requirements, it must also be accompanied by a standard WebTrust audit issued in accordance with WebTrust for CAs, v. 2.2.

Additionally, here are some “Needs” that need to be completed in the CCADB or submitted and attached here to this bug:

CA's Responses to the following Required Practices

NEED: CP/CPS section numbers addressing each of the items listed in https://wiki.mozilla.org/CA/Required_or_Recommended_Practices

\1. Publicly Available CP and CPS:

1.1 Revision Table, updated annually:

1.2 CAA Domains listed in CP/CPS:

1.3 BR Commitment to Comply statement in CP/CPS:

1.4 CP/CPS Structured According to RFC 3647, appropriate use of 'No Stipulation':

\2. Audit Criteria:

2.1 Complete Audit History:

CA key generation report, any point in time audits, all period of time audits

\3. Revocation of Compromised Certificates:

\4. Verifying Domain Name Ownership:

4.1 Baseline Requirements:

4.2 WHOIS:

4.3 Email Challenge-Response:

\5. Verifying Email Address Control:

\6. DNS names go in SAN:

\7. OCSP:

- OCSP SHALL NOT respond 'Good' for unissued certificates:

\8. Network Security Controls:

CA's Responses to the following Forbidden Practices

NEED: CP/CPS section numbers addressing each of the items listed in https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices

\1. Long-lived Certificates:

\2. Non-Standard Email Address Prefixes for Domain Ownership Validation:

\3. Issuing End Entity Certificates Directly From Trust Anchors

\4. Distributing Generated Private Keys in PKCS#12 Files:

\5. Certificates Referencing Local Names or Private IP Addresses:

\6. Issuing SSL Certificates for .int Domains:

\7. OCSP Responses Signed by a Certificate Under a Different CA:

\8. Issuance of SHA-1 Certificates:

\9. Delegation of Domain / Email Validation to Third Parties:

CA Certificate Download URL

NEED: A public URL through which the CA certificate can be directly downloaded.

(I had trouble finding it on https://certificados.serpro.gov.br/)

Certificate Testing

NEED:

- Provide 3 URLs to 3 test websites (valid, expired, revoked) whose TLS/SSL cert chains up to this CA.

Revocation Tested

NEED: Test with http://certificate.revocationcheck.com/ make sure there aren't any errors.

CA/Browser Forum Lint Test

NEED: Provide evidence that you have tested and verified that no certificates issued in this CA hierarchy violate any of the CA/Browser Forum Baseline Requirements (BRs).

BR Lint Test: https://github.com/awslabs/certlint

Mozilla will check that the CA is not issuing certificates that violate any of the BRs by using crt.sh on the proposed trust anchor and subordinate CAs via: https://crt.sh/?caid=<CA ID>&opt=cablint,zlint,x509lint&minNotBefore=2014-01-01

and/or

The Lint tests in https://crt.sh/?a=1

Test Website Lint Test

NEED: Provide evidence that you have tested and verified that no certificates issued in this CA hierarchy violate the X.509 rules.

X.509 Lint Test: https://github.com/kroeckx/x509lint

Full Description of Existing/Proposed PKI Hierarchy

NEED: URL and/or Description of this PKI Hierarchy.

Provide details related to any of the check-boxes above that are selected.

Add records for the existing intermediate certs to the CCADB as described here: https://ccadb.org/cas/intermediates#adding-intermediate-certificate-data

If Mozilla accepts and includes your CA certificate, then we have to assume that we also accept any of your future sub-CAs and their sub-CAs. Therefore, the selection criteria for your sub-CAs and their sub-CAs will be a critical decision factor. As well as the documentation and auditing of operations requirements that you place on your sub-CAs and their sub-CAs.

If this CA has (or will have) any subordinate CA certificates that are operated by external third parties, then provide the information listed in the Subordinate CA Checklist in a separate document. https://wiki.mozilla.org/CA/Subordinate_CA_Checklist

Constraints on External SubCAs & RAs

NEED: Describe constraints on external subordinate CAs and RAs.

As per section 5.3 of Mozilla's Root Store Policy, provide the required data for all of your non-technically-constrained subordinate CA certificates that chain up or will chain up to this proposed trust anchor.

This data may be provided as follows:

- If your CA has access to the CCADB, then you may upload existing CA certificates directly into the CCADB.

- Otherwise, provide this information here in your Bugzilla Bug.

Mozilla Applied Constraints

NEED: Mozilla has the ability to name-constrain trust anchors; e.g. to *.gov.br or *.mil.br, so CAs should consider if such constraints may be applied to this certificate.

https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/certdb/genname.c#1551

CPS Review Items

For future reference, here are the items that we will be reviewing in your CPS.

CP/CPS structured in accordance with RFC 3647 with no blank sections (MRSP § 3.3.5) (BR § 2.2)

CP/CPS made available under a Creative Commons License (MRSP § 3.3.3)

“CPs and CPSes are made available to Mozilla under one of the following Creative Commons licenses (or later versions)”

Statement of adherence to BRs and their precedence (MRSP § 2.3) (BR § 2.2)

“The CA SHALL publicly give effect to these Requirements and represent that it will adhere to the latest published version”, including a statement such as “in the event of any inconsistency between this CP/CPS and those Requirements, those Requirements take precedence.”

Separate, EKU-constrained issuing CAs (MRSP § 5.3) (BR § 7.1.2.2.g.)

Intermediate CAs must have an EKU, not the anyEKU EKU, and not both serverAuth and an emailProtection, codesigning, or timeStamping EKU.

Clear identification of CAs covered by CP/CPS (MRSP § 3.3.6)

“CAs must provide a way to clearly determine which CP and CPS applies to each of its root and intermediate certificates.”

Explicit annual revision of CP/CPS w/ table of changes (MRSP § 3.3.4) (BR § 2.3)

“CPs and CPSes MUST be reviewed and updated as necessary at least once every year, as required by the Baseline Requirements. CAs MUST indicate that this has happened by incrementing the version number and adding a dated changelog entry, even if no other changes are made to the document.” Also, a version history table provides evidence of compliance and good change management practices.

Statement of Non-Delegation for Domain Validation (BR § 1.3.2)

“With the exception of sections 3.2.2.4 and 3.2.2.5, the CA MAY delegate the performance of all, or any part, of Section 3.2 requirements to a Delegated Third Party, provided that the process as a whole fulfills all of the requirements of Section 3.2.”

Clear problem reporting instructions in section 1.5.2 (BR § 4.9.3)

“The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions through a readily accessible online means and in section 1.5.2 of their CPS.”

Naming compliant with X.500, RFC5280 and BRs

The structure and use of names in certificates must comply with the Baseline Requirements, X.500, and RFC 5280.

No internal names or reserved IP addresses (BR § 7.1.4.2.1)

“CAs SHALL NOT issue certificates with a subjectAltName extension or subject:commonName field containing a Reserved IP Address or Internal Name.”

ALL certificates must meet Mozilla/BR validation requirements

CPS must specifically explain validation methods and validation steps taken to verify certificate requests in accordance with BR §§ 3.2.2.4 and 3.2.2.5 (MRSP § 2.2.3 and MRSP § 3.3.1)

CP/CPS must be sufficient “for Mozilla to determine whether and how the CA complies with this policy, including a description of the steps taken by the CA to verify certificate requests”.

[Note: It is also recommended that CAs ensure that the domain name registrant has approved or authorized a certificate request such that the certificate cannot be used to facilitate surreptitious interception by third parties (except with the domain registrant's permission).]

CA validates domain part of all e-mail addresses (MRSP § 2.2.2)

“For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder’s behalf. The CA SHALL NOT delegate validation of the domain portion of an email address.”

Data sources need to be accurate (BR § 3.2.2.7 and EVG § 11.11.5)

For OV – “[For a] Reliable Data Source, the CA SHALL evaluate the source for its reliability, accuracy, and resistance to alteration or falsification.”

For EV - “A database qualifies as a QIIS if the CA determines that: (1) Industries other than the certificate industry rely on the database for accurate location, contact, or other information; and (2) The database provider updates its data on at least an annual basis.”

All information in a certificate must be verified (MRSP § 2.2.1) 3.2.4

“All information that is supplied by the certificate subscriber MUST be verified by using an independent source of information or an alternative communication channel before it is included in the certificate.”

Data reuse (certificate renewal) limited to 825 days (MRSP § 2.1.5) (BR § 4.2.1)

CAs must “verify that all of the information that is included in SSL certificates remains current and correct at time intervals of 825 days or less”.

CAA record checking and recognized domain names in section 4.2 (BR § 2.2)

“Section 4.2 of a CA’s Certificate Policy and/or Certification Practice Statement SHALL state the CA’s policy or practice on processing CAA Records for Fully Qualified Domain Names; that policy shall be consistent with these Requirements.”

Accounts capable of certificate issuance must have multi-factor authentication (MRSP § 2.1.3)

CAs must “enforce multi-factor authentication for all accounts capable of causing certificate issuance or performing Registration Authority or Delegated Third Party functions, or implement technical controls operated by the CA to restrict certificate issuance through the account to a limited set of pre-approved domains or email addresses”.

Pre-issuance linting (Recommended Practices)

“It is strongly recommended that CAs integrate such tools …. Because BR or RFC violations are generally considered by Mozilla to be misissuance, such integration will reduce the number of misissuance events a CA experiences”

Revocation in accordance with BR section 4.9.1 (MRSP § 6.1) (BR §§ 4.9.1.1 and 4.9.1.2)

24-hour revocation for reasons (1)-(5); 5 days for reasons (1)-(11) and 7 days for Intermediate CAs reasons (1) – (9)

SMIME Reasons for Revocation (MRSP § 6.2)

“For any certificate in a hierarchy capable of being used for S/MIME, CAs MUST revoke certificates upon the occurrence of any of the following events …”

CRLs at least every 7 days w/ nextUpdate not more than 10 days (MRSP § 6)

CA must not allow certificate suspension (BR § 4.9.13)

OCSP updates every 4 days w/ max. expiration of 10 days (MRSP § 6)

Provide Mozilla notice immediately upon private CA key compromise (MRSP § 7)

“Changes that are motivated by a security concern such as certificate misissuance or a root or intermediate compromise MUST be treated as a security-sensitive, and a secure bug filed in Bugzilla.”

CA must not generate Subscriber key pairs (MRSP § 5.2)

“CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage.”

Must meet RSA key requirements (MRSP § 5.1)

Must meet ECDSA key requirements, P-256 or P-384 (MRSP § 5.1)

Certificate lifetimes limited to 398 days (BR § 6.3.2)

“Subscriber Certificates … SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days.”

Network Security (MRSP § 2.1.2)

CAs must “follow industry best practice for securing their networks, for example by conforming to the CAB Forum Network Security Guidelines or a successor document”.

Serial numbers greater than 64 bits generated by a CSPRNG (MRSP § 5.2)

“all new certificates MUST have a serial number greater than zero, containing at least 64 bits of output from a CSPRNG.”

EKUs required in certificates issued after 7-1-2020 (MRSP § 5.2) (BR § 7.1.2.3.f)

Use of SHA-1 prohibited (MRSP § 5.1.3) (BR § 7.1.3.2.1)

Any CN must also be in a SAN (BR § 7.1.4.2.2.a)

Flags: needinfo?(lucia.castelli)
Whiteboard: [ca-initial] → [ca-verifying] BW 2020-12-04 Comment #2
Flags: needinfo?(lucia.castelli)

We are doing a new upload after the last email:
"I have uploaded your audit letter, but all CA certificates need to be reported by their SHA256 hash, uppercase letters, no spaces or colons, and all on one line. Here is the error we received when running the current audit letter through our Audit Letter Validation (ALV) program: “The thumbprint of R00001434 is not found”.

Attachment #9192420 - Attachment is obsolete: true

We are doing a new upload after the last email:
"I have uploaded your audit letter, but all CA certificates need to be reported by their SHA256 hash, uppercase letters, no spaces or colons, and all on one line. Here is the error we received when running the current audit letter through our Audit Letter Validation (ALV) program: “The thumbprint of R00001434 is not found”.

Attachment #9192421 - Attachment is obsolete: true

There are two CA certificates - I am assuming you want to use the most recent one issued March 12, 2020, and not the other one submitted, issued 12/12/2019. Correct?

Yes, we want to use the most recent, issued Marche 12,2020.
Thanks

OK - Thanks. I ran the ALV process on the most recent audit letter - https://bugzilla.mozilla.org/attachment.cgi?id=9193771 and it passed for the March 12, 2020 CA certificate, except that the audit letter needs to be downloadable from the WebTrust/CPA Canada website or from the website for "PKI Contabilidade e Auditoria Ltda." I also updated the CA certificate in the CCADB as Case 1506 - https://ccadb.force.com/a004o00000AdnzTAAR.

There are a lot of tasks that I need to solve. May I ask you if is possivle to review again what is missing to send ? How long we will take to add our certificate at Mozilla´s Browse.

I have another question about Apple. I read at CA/Browse Forum that they stopped to includde certificates in their browse. Is it true ?

About Microsoft: I already sent more than one email with the Form to include our certificate in their browse, but they never return nothing abou it.

How can I get notice what to do about Microsoft and Apple ?

Thanks for you support, I know that you are from Mozilla....

(In reply to Lucia Castelli from comment #15)

There are a lot of tasks that I need to solve. May I ask you if is possivle to review again what is missing to send ? How long we will take to add our certificate at Mozilla´s Browse.

I have another question about Apple. I read at CA/Browse Forum that they stopped to includde certificates in their browse. Is it true ?

Apple continues to operate a root store program: https://www.apple.com/certificateauthority/ca_program.html

About Microsoft: I already sent more than one email with the Form to include our certificate in their browse, but they never return nothing abou it.

I'm assuming you followed the process outlined at https://docs.microsoft.com/en-us/security/trusted-root/new-ca-application

How can I get notice what to do about Microsoft and Apple ?

All I can suggest is to be patient - the root inclusion process takes a long time and you should expect Apple and Microsoft to respond when they are ready to engage.

Thanks for you support, I know that you are from Mozilla....

Attached file CP_SERPRO_SSL_CA.pdf

CP Translated in english;

Attached file CPS_SERPRO_SSL_CA.pdf

CPS translated in english;

Thanks. I will review the CP and CPS, but there are still fields that need to be completed in the CCADB.
https://ccadb.force.com/a004o000006Tl4oAAC
https://ccadb.force.com/a004o00000AdnzTAAR

Hi @Bwilson, is possible to check what is missing to send ?

Thanks a lot.

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Priority: -- → P3
Flags: needinfo?(bwilson)

Would like to know how is doing our CA process at Root Program ? Is it possible to check what is still missing ?
Thanks

The WebTrust for SSL Baseline Requirements audit report is always accompanied by a Webtrust Principles and Criteria for Certification Authorities, often referred to as a "Standard Audit" (current version is 2.2.1) - https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/wt100awebtrust-for-ca-221-110120-finalaoda.pdf?la=en&hash=0FDB6C541E7A61976625B9EAC55474D260A7E6FD. I don't believe that Webtrust standard audit has been submitted.

Also, the test websites all fail. See https://ccadb.force.com/a004o00000AdnzTAAR

After those two things are done I will perform a more detailed review and comment on your CPS. See comments I've made in the past to other CAs' CPSes. https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21

Flags: needinfo?(bwilson)
Attached file The

The attachement number 192424 is the Audit Report of Webtrust for CA.
I did it again.

About the fail at all test websites.
We need more information where exactly is our error, because at the message error is not clear for us.
Could you explain it ?
Thanks.

It may be failing on our side, so I will have to check these manually and please disregard the test websites error I mentioned in Comment #23. I will take a look at your application again sometime this week. Thanks for your patience.

(In reply to Ben Wilson from comment #26)

It may be failing on our side, so I will have to check these manually and please disregard the test websites error I mentioned in Comment #23. I will take a look at your application again sometime this week. Thanks for your patience.

Thats OK. Thanks again.

Here is a quick preliminary assessment of your CP/CPS that I'll input into the CCADB.

Required or Recommended Practices

1. Publicly Available CP and CPS: We need the URL where English version of the SERPRO CPS is available.
1.1 Revision Table, updated annually: Yes – CPS § 2.3
1.2 CAA Domains listed in CP/CPS: Yes – CPS § 4.2.4
1.3 BR Commitment to Comply statement in CP/CPS: Yes – CPS § 2.2
1.4 CP/CPS Structured According to RFC 3647, appropriate use of 'No Stipulation': Yes
2. Audit Criteria:
2.1 Complete Audit History (Root key generation report, any point in time audits, all period of time audits): Yes
3. Revocation of Compromised Certificates: Yes – CPS §§ 4.9.1-4.9.3
4. Verifying Domain Name Ownership:
4.1 Baseline Requirements: Yes – CPS § 3.2.2.4
4.2 WHOIS: OK
4.3 Email Challenge-Response: N/A
5. Verifying Email Address Control: N/A
6. DNS names go in SAN: Yes – CPS § 3.2.2.4
7. OCSP SHALL NOT respond 'Good' for unissued certs: TBD
8. Network Security Controls: CPS § 6.7 is good, but could be improved with reference to the CABF Network and Certificate System Security Requirements

Forbidden or Problematic Practices

1. Long-lived Certificates: CP § 6.3.2 and CPS § 6.3.2 references are circular (Certificate Lifetimes need to be stated)
2. Non-Standard Email Address Prefixes for Domain Ownership Validation: SERPRO does not use method from BR § 3.2.2.4.4
3. Issuing End Entity Certificates Directly From Roots: CA is not a Root CA
4. Distributing Generated Private Keys in PKCS#12 Files: CPS § 6.1.2
5. Certificates Referencing Local Names or Private IP Addresses: CPS § 3.2.2.5 – “any other method” of IP address validation is not allowed
6. OCSP Responses Signed by a Certificate Under a Different Root: TBD
7. Issuance of SHA-1 Certificates: CP § 7.1.3.1 (SHA-256 is used)
8. Delegation of Domain / Email Validation to Third Parties: TBD

I ran the revocation test using https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br and encountered an OCSP error (404 Not found) for "http://ocsp.serpro.gov.br/acserprosslv1". Here is the error response: "Error parsing OCSP response: asn1: structure error: tags don't match (16 vs {class:0 tag:28 length:33 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} responseASN1 @2"

This will need to be fixed.

Then, running the lint test for the CA (https://crt.sh/?caid=194400), using this URL:
https://cachecker-dot-ccadb-231121.appspot.com/summary/194400?max_depth=-1&start=2020-03-12&end=2021-06-02&z_lint=on&cab_lint=on&x509_lint=on
There were the following number of certificates with these errors:
18 Organization Name Too Long (MUST be less than 65 characters)
526 Invalid SAN entries (MUST be FQDN or ipAddress)
1 IP address in dns name
10 DNSName was not an FQDN

These certificates will need to be revoked/replaced and the error-causing conditions will need to be corrected.

Required or Recommended Practices

  1. Publicly Available CP and CPS: We need the URL where English version of the SERPRO CPS is available:
    A: https://repositorio.serpro.gov.br/docs/CPS_SERPRO_SSL_CA.pdf
    https://repositorio.serpro.gov.br/docs/CP_SERPRO_SSL_CA.pdf

We are fixing the others items.

Thanks !

The CCADB has been updated with these URLs.

According to the CCADB, an annual period of time audit will soon be due. The last one that we have on file was issued 2-June-2020 for the period ending 29 May 2020. Do you know when you will have that audit report? Thanks.

Flags: needinfo?(lucia.castelli)
Whiteboard: [ca-verifying] BW 2020-12-04 Comment #2 → [ca-verifying] BW 2021-06-25 Comment #32

We are currently finalizing the audit process for the CA in question, and we believe that by July 20th it will be possible to submit its report.

Flags: needinfo?(lucia.castelli)

According a quick preliminary assessment of our CP/CPS, we did another revision and we need upload to this 2 documents: CPS and CP. Where I will do it ?

You can attach them here. Also, isn't there a "repository" page on your website - e.g. https://www.serpro.gov.br/links-fixos-superiores/pss-serpro/acserprossl ?

For sure, there is a "repository" at https://www.serpro.gov.br/links-fixos-superiores/pss-serpro/acserprossl, where we already published it.
Also I attached at CCADB.
Thanks !

(In reply to Ben Wilson from comment #29)

I ran the revocation test using https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br and encountered an OCSP error (404 Not found) for "http://ocsp.serpro.gov.br/acserprosslv1". Here is the error response: "Error parsing OCSP response: asn1: structure error: tags don't match (16 vs {class:0 tag:28 length:33 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} responseASN1 @2"

This will need to be fixed.

Then, running the lint test for the CA (https://crt.sh/?caid=194400), using this URL:
https://cachecker-dot-ccadb-231121.appspot.com/summary/194400?max_depth=-1&start=2020-03-12&end=2021-06-02&z_lint=on&cab_lint=on&x509_lint=on
There were the following number of certificates with these errors:
18 Organization Name Too Long (MUST be less than 65 characters)
526 Invalid SAN entries (MUST be FQDN or ipAddress)
1 IP address in dns name
10 DNSName was not an FQDN

These certificates will need to be revoked/replaced and the error-causing conditions will need to be corrected.

We've fixed a misconfiguration in our server and now the OCSP service is responding accordingly as shown below:
$ openssl ocsp -issuer cadeia2.pem -cert activeocsp.cer -text -url http://ocsp.serpro.gov.br/acserprosslv1
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C1436F292AD8977C06C65BE854B0D9AA49D71845
Issuer Key Hash: AD164F4BF10CBEC28AA28518D70D46259322E3CD
Serial Number: F39B01AF3BDEC9327B28E7B9
Request Extensions:
OCSP Nonce:
0410FF3BD8E39AB0F2E0A2CBD7EF02F9687F
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = BR, O = ICP-Brasil, OU = Autoridade Certificadora Raiz Brasileira v10, CN = Autoridade Certificadora do SERPRO SSLv1
Produced At: Jul 22 18:52:05 2021 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C1436F292AD8977C06C65BE854B0D9AA49D71845
Issuer Key Hash: AD164F4BF10CBEC28AA28518D70D46259322E3CD
Serial Number: F39B01AF3BDEC9327B28E7B9
Cert Status: good
This Update: Jul 22 18:52:05 2021 GMT
Next Update: Jul 23 02:52:05 2021 GMT

We already finished our audit Webtrust for CA and got our Seal. We attached the letter.

Do you have a seal ID number yet? When you get it, it should look something like this:
https://www.cpacanada.ca/webtrustseal?sealid=107XX
Additionally, you need to have a WebTrust for Baseline Requirements audit report and seal. The attached WebTrust report only covers standard CA practices under WebTrust ver. 2.2.1.
Also, we will need a statement of auditor qualifications. See https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications

(In reply to Andre from comment #37)

(In reply to Ben Wilson from comment #29)

I ran the revocation test using https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br and encountered an OCSP error (404 Not found) for "http://ocsp.serpro.gov.br/acserprosslv1". Here is the error response: "Error parsing OCSP response: asn1: structure error: tags don't match (16 vs {class:0 tag:28 length:33 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} responseASN1 @2"

We've fixed a misconfiguration in our server and now the OCSP service is responding accordingly as shown below:
$ openssl ocsp -issuer cadeia2.pem -cert activeocsp.cer -text -url http://ocsp.serpro.gov.br/acserprosslv1
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C1436F292AD8977C06C65BE854B0D9AA49D71845
Issuer Key Hash: AD164F4BF10CBEC28AA28518D70D46259322E3CD
Serial Number: F39B01AF3BDEC9327B28E7B9
Request Extensions:
OCSP Nonce:
0410FF3BD8E39AB0F2E0A2CBD7EF02F9687F
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = BR, O = ICP-Brasil, OU = Autoridade Certificadora Raiz Brasileira v10, CN = Autoridade Certificadora do SERPRO SSLv1
Produced At: Jul 22 18:52:05 2021 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C1436F292AD8977C06C65BE854B0D9AA49D71845
Issuer Key Hash: AD164F4BF10CBEC28AA28518D70D46259322E3CD
Serial Number: F39B01AF3BDEC9327B28E7B9
Cert Status: good
This Update: Jul 22 18:52:05 2021 GMT
Next Update: Jul 23 02:52:05 2021 GMT

When I run the same command, I get:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C1436F292AD8977C06C65BE854B0D9AA49D71845
Issuer Key Hash: AD164F4BF10CBEC28AA28518D70D46259322E3CD
Serial Number: F39B01AF3BDEC9327B28E7B9
Request Extensions:
OCSP Nonce:
0410E45BBE45B2F0BE75C8F2E543611D9B22
Error querying OCSP responder
28296:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:.\crypto\ocsp\ocsp_ht.c:314:Code=500,Reason=Internal Server Error

The following errors are given through this URL: https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br
With GET to http://ocsp.serpro.gov.br/acserprosslv1 404 Not Found
With POST to http://ocsp.serpro.gov.br/acserprosslv1 500 Internal Server Error

Using curl for the OCSP GET
curl --verbose --url http://ocsp.serpro.gov.br/acserprosslv1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTBQ28pKtiXfAbGW%2BhUsNmqSdcYRQQUrRZPS%2FEMvsKKooUY1w1GJZMi480CDQDzmwGvO97JMnso57k%3D

  • Trying 161.148.2.53...
  • TCP_NODELAY set
  • Connected to ocsp.serpro.gov.br (161.148.2.53) port 80 (#0)

GET /acserprosslv1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTBQ28pKtiXfAbGW%2BhUsNmqSdcYRQQUrRZPS%2FEMvsKKooUY1w1GJZMi480CDQDzmwGvO97JMnso57k%3D HTTP/1.1
Host: ocsp.serpro.gov.br
User-Agent: curl/7.55.1
Accept: /

< HTTP/1.1 404 Not Found
< Date: Wed, 22 Sep 2021 03:01:55 GMT
< Server: Apache/2.4.25 (Debian)
< Content-Length: 320
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /acserprosslv1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTBQ28pKtiXfAbGW+hUsNmqSdcYRQQUrRZPS/EMvsKKooUY1w1GJZMi480CDQDzmwGvO97JMnso57k= was not found on this server.</p>
</body></html>

  • Connection #0 to host ocsp.serpro.gov.br left intact

(In reply to Ben Wilson from comment #39)

Do you have a seal ID number yet? When you get it, it should look something like this:
https://www.cpacanada.ca/webtrustseal?sealid=107XX
Additionally, you need to have a WebTrust for Baseline Requirements audit report and seal. The attached WebTrust report only covers standard CA practices under WebTrust ver. 2.2.1.
Also, we will need a statement of auditor qualifications. See https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications

  1. The seal ID number: https://www.cpacanada.ca/webtrustseal?sealid=10748 - Standard CA practices under WebTrust ver. 2.2.1.
  2. About the WebTrust for Baseline Requirements audit report and seal: We already finished the audit but the auditors company said that we need to do the revogation of all certificates (526 Invalid SAN entries) -> Comment #29 before, than they will send to webtrust the audit report to issue this seal(BR SSL).
  3. Statement of auditor qualifications: We will send.

Already attached the statment of auditor qualifications.

(In reply to Ben Wilson from comment #40)

(In reply to Andre from comment #37)

(In reply to Ben Wilson from comment #29)

I ran the revocation test using https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br and encountered an OCSP error (404 Not found) for "http://ocsp.serpro.gov.br/acserprosslv1". Here is the error response: "Error parsing OCSP response: asn1: structure error: tags don't match (16 vs {class:0 tag:28 length:33 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} responseASN1 @2"

We've fixed a misconfiguration in our server and now the OCSP service is responding accordingly as shown below:
$ openssl ocsp -issuer cadeia2.pem -cert activeocsp.cer -text -url http://ocsp.serpro.gov.br/acserprosslv1
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C1436F292AD8977C06C65BE854B0D9AA49D71845
Issuer Key Hash: AD164F4BF10CBEC28AA28518D70D46259322E3CD
Serial Number: F39B01AF3BDEC9327B28E7B9
Request Extensions:
OCSP Nonce:
0410FF3BD8E39AB0F2E0A2CBD7EF02F9687F
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = BR, O = ICP-Brasil, OU = Autoridade Certificadora Raiz Brasileira v10, CN = Autoridade Certificadora do SERPRO SSLv1
Produced At: Jul 22 18:52:05 2021 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C1436F292AD8977C06C65BE854B0D9AA49D71845
Issuer Key Hash: AD164F4BF10CBEC28AA28518D70D46259322E3CD
Serial Number: F39B01AF3BDEC9327B28E7B9
Cert Status: good
This Update: Jul 22 18:52:05 2021 GMT
Next Update: Jul 23 02:52:05 2021 GMT

When I run the same command, I get:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C1436F292AD8977C06C65BE854B0D9AA49D71845
Issuer Key Hash: AD164F4BF10CBEC28AA28518D70D46259322E3CD
Serial Number: F39B01AF3BDEC9327B28E7B9
Request Extensions:
OCSP Nonce:
0410E45BBE45B2F0BE75C8F2E543611D9B22
Error querying OCSP responder
28296:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:.\crypto\ocsp\ocsp_ht.c:314:Code=500,Reason=Internal Server Error

The following errors are given through this URL: https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br
With GET to http://ocsp.serpro.gov.br/acserprosslv1 404 Not Found
With POST to http://ocsp.serpro.gov.br/acserprosslv1 500 Internal Server Error

Ok we will check this service so that soon we can make this test again.

(In reply to Lucia Castelli from comment #42)

(In reply to Ben Wilson from comment #39)

Do you have a seal ID number yet? When you get it, it should look something like this:
https://www.cpacanada.ca/webtrustseal?sealid=107XX
Additionally, you need to have a WebTrust for Baseline Requirements audit report and seal. The attached WebTrust report only covers standard CA practices under WebTrust ver. 2.2.1.
Also, we will need a statement of auditor qualifications. See https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications

  1. The seal ID number: https://www.cpacanada.ca/webtrustseal?sealid=10748 - Standard CA practices under WebTrust ver. 2.2.1.
  2. About the WebTrust for Baseline Requirements audit report and seal: We already finished the audit but the auditors company said that we need to do the revogation of all certificates (526 Invalid SAN entries) -> Comment #29 before, than they will send to webtrust the audit report to issue this seal(BR SSL).
  3. Statement of auditor qualifications: We will send.

Dear Ben Wilson,

I ask your attention to following subject.
The Certification Authority SERPRO SSL is since September 2020 registered at the Common CA Data Base and being analyzed by Mozilla since February 2021.
In June 1st 2021 the CA was notified of the following errors and warnings:
Then, running the lint test for the CA (https://crt.sh/?caid=194400),  using this URL:
https://cachecker-dot-ccadb-231121.appspot.com/summary/194400?max_depth=-1&start=2020-03-12&end=2021-06-02&z_lint=on&cab_lint=on&x509_lint=on 
There were the following number of certificates with these errors:
18 Organization Name Too Long (MUST be less than 65 characters)
526 Invalid SAN entries (MUST be FQDN or ipAddress)
1 IP address in dns name
10 DNSName was not an FQDN
These certificates will need to be revoked/replaced and the error-causing conditions will need to be corrected.

The needed notifications were made in the period of 12th March 2020 and    the 7th June 2021.
The necessary corrections at the CA's system were also executed and  since the 1st of July 2021 all issued certificates are in the correct
form.
The 526 certificates issued with the invalid SAN are being revoked and replaced for new, correct ones.
Until this point 29% of the 526 certificates have already been revoked.
Considering the fact that this is a process that depends on the client side, who should install and test the new certificate, it takes some
time to conclude this recall. We are doing everything we can to make it as fast as possible.

In September 21st we received following notification, already answered:

(In reply to Ben Wilson from comment #39)
Do you have a seal ID number yet? When you get it, it should look
something like this:
https://www.cpacanada.ca/webtrustseal?sealid=107XX
Additionally, you need to have a WebTrust for Baseline Requirements
audit report and seal. The attached WebTrust report only covers standard
CA practices under WebTrust ver. 2.2.1.
Also, we will need a statement of auditor qualifications. See
https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications
1.        The seal ID number:
https://www.cpacanada.ca/webtrustseal?sealid=10748 - Standard CA
practices under WebTrust ver. 2.2.1.
2.        About the WebTrust for Baseline Requirements audit report and seal:
We already finished the audit but the auditors company said that we need
to do the revogation of all certificates (526 Invalid SAN entries) ->
Comment #29 before, than they will send to webtrust the audit report to
issue this seal(BR SSL).
3.        Statement of auditor qualifications: We will send.

The auditing of the Certification Authority SERPRO SSL is in progress  and the auditing entity is aware of the need for this recall. They are
also following the process.
Considering that we need to conclude this auditing and obtain the WebTrust BR SSL seal in order to continue the procedures with Mozzila,
we will ask the auditing entity to finish the auditing report stating  that this issue has been solved so that we can fulfill the received
notification: Comment #29 - Bugzilla(01.06.2021)

Do you agree with this or do you have any other suggestion?

Thanks and kind regards,

(In reply to Lucia Castelli from comment #46)

In June 1st 2021 the CA was notified of the following errors and warnings:
Then, running the lint test for the CA (https://crt.sh/?caid=194400),  using this URL:
https://cachecker-dot-ccadb-231121.appspot.com/summary/194400?max_depth=-1&start=2020-03-12&end=2021-06-02&z_lint=on&cab_lint=on&x509_lint=on 
There were the following number of certificates with these errors:
18 Organization Name Too Long (MUST be less than 65 characters)
526 Invalid SAN entries (MUST be FQDN or ipAddress)
1 IP address in dns name
10 DNSName was not an FQDN
These certificates will need to be revoked/replaced and the error-causing conditions will need to be corrected.

The needed notifications were made in the period of 12th March 2020 and    the 7th June 2021.
The necessary corrections at the CA's system were also executed and  since the 1st of July 2021 all issued certificates are in the correct
form.
The 526 certificates issued with the invalid SAN are being revoked and replaced for new, correct ones.
Until this point 29% of the 526 certificates have already been revoked.
Considering the fact that this is a process that depends on the client side, who should install and test the new certificate, it takes some
time to conclude this recall. We are doing everything we can to make it as fast as possible.

...

Considering that we need to conclude this auditing and obtain the WebTrust BR SSL seal in order to continue the procedures with Mozzila,
we will ask the auditing entity to finish the auditing report stating  that this issue has been solved so that we can fulfill the received
notification: Comment #29 - Bugzilla(01.06.2021)

Do you agree with this or do you have any other suggestion?

Regarding the quoted information above, does your auditor need clarification from Mozilla on the current status (re: Comment #29) in order to finalize its WebTrust for Baseline Requirements seal? That discussion would seem to be between SERPRO and your auditor. On the other hand, if your auditor instead wishes to issue a "qualified" WebTrust BR audit and not the seal file, that would be acceptable, too. In this latter case, we would upload that qualified WebTrust BR audit to this Bugzilla bug as an attachment and use that as the reference in the CCADB. However, I'm not sure if that is what you are asking. We'd prefer to have an unqualified BR audit and seal, but we can work with your timeframes, since you are encountering a delay in getting the remaining certificates of the 526 revoked. In summary, we appreciate your efforts to continue with your inclusion request, but please clarify your question(s) to us so that we can provide better answer(s) for you. Thanks.

Dear Ben

Yours explanations were sufficient for our auditors to opt for an unqualified report BR audit and seal.
We continue our efforts to revoke the 526 certificates.
Thank you.

We attached the new one report from audit.
This report is being submitted for consideration by Webtrust, therefore the seal has not yet been issued.

Attachment #9193771 - Attachment is obsolete: true

(In reply to Lucia Castelli from comment #49)

Created attachment 9244222 [details]
AC SERPRO - WebTrust for SSL Baseline with Network Security Report-Management Assertion_SIGNED.pdf

We attached the new one report from audit.
This report is being submitted for consideration by Webtrust, therefore the seal has not yet been issued.

Now we have even the seal:

https://www.cpacanada.ca/webtrustseal?sealid=10784

Thanks! It is not a fatal error, but the date formats for the period of time covered by the audit letter say, "May, 30 2020 to 29 May 2021".
In the future, it should be formatted consistently for processing by ALV as one of these three:
Month DD, YYYY example: May 7, 2016
DD Month YYYY example: 7 May 2016
YYYY-MM-DD example: 2016-05-07

See https://www.ccadb.org/policy#51-audit-statement-content

Thanks ! We forwarded it to the auditors and understand that we will not need to request a change this time.

I am still looking for a resolution of Comment #40. Can you upload a signed OCSP response here as an attachment that I can verify?

Flags: needinfo?(andrewzynho)

(In reply to Ben Wilson from comment #51)

Thanks! It is not a fatal error, but the date formats for the period of time covered by the audit letter say, "May, 30 2020 to 29 May 2021".
In the future, it should be formatted consistently for processing by ALV as one of these three:
Month DD, YYYY example: May 7, 2016
DD Month YYYY example: 7 May 2016
YYYY-MM-DD example: 2016-05-07

See https://www.ccadb.org/policy#51-audit-statement-content

Dear Ben, we already have another report with the date formatted consitently. I will attached.

(In reply to Ben Wilson from comment #53)

I am still looking for a resolution of Comment #40. Can you upload a signed OCSP response here as an attachment that I can verify?

We are studying how to fix this problem and till next tuesday(19/10) we will publish a definitive answer.
Thanks the patience.

(In reply to Lucia Castelli from comment #55)

(In reply to Ben Wilson from comment #53)

I am still looking for a resolution of Comment #40. Can you upload a signed OCSP response here as an attachment that I can verify?

We are studying how to fix this problem and till next tuesday(19/10) we will publish a definitive answer.
Thanks the patience.

Dear Ben,

the fix for the problem has already been identified and by 10/31 will be fixed. Thank you.

Still awaiting resolution of OCSP errors - see https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br

http://ocsp.serpro.gov.br/acserprosslv1 (GET) returns a 404 error.
and
http://ocsp.serpro.gov.br/acserprosslv1 (POST) returns a 500 error.

We are still having problems with our OCSP. We will send more details about. Thanks

We are having a message below and this CA did not issue EV Certificates. Could you explain what is happening ?

Issuer Name: C=BR, O=ICP-Brasil, OU=Autoridade Certificadora Raiz Brasileira v10, CN=Autoridade Certificadora do SERPRO SSLv1
Linter: cablint
Issue: EV certificates must not include UID in subject
1 certificates with this lint issue under this CA.

Cert ID Not Before Not After Subject CN OneCRL Revoked Google Revoked Microsoft Revoked SHA-256 fingerprint
6047926269 2022-01-25 20:05:00 2023-01-25 20:05:00 C=BR, ST=DF, L=BRASILIA, O=CAIXA ECONOMICA FEDERAL, OU=c160a6f5-e5df-5067-9e97-ec6fba62fd87, serialNumber=00360305000104, CN=consentimento.openbanking.caixa.gov.br, businessCategory=Business Entity, jurisdictionC=BR, UID=d07cc967-abcd-4c35-942c-8e957e9e0ea4 False False False 79335fc0cf701de8a96be29f62739effcd53dede3be6d9b20f3b1f7cfd7919e1

Thanks

(In reply to Ben Wilson from comment #58)

Still awaiting resolution of OCSP errors - see https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br

http://ocsp.serpro.gov.br/acserprosslv1 (GET) returns a 404 error.
and
http://ocsp.serpro.gov.br/acserprosslv1 (POST) returns a 500 error.

Ben, that is the return from ou enginering team:

" a new attempt was made to publish the OCSP service in production, but without success. We have opened a support ticket for Kryptus and they have already responded with new versions of the access libraries.

The development team is doing the necessary checks for a retry."

Thanks

We already fixed it and The OCSP is working well, you can see below the answer from: https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br.
Thanks

(In reply to Lucia Castelli from comment #60)

We are having a message below and this CA did not issue EV Certificates. Could you explain what is happening ?

Issuer Name: C=BR, O=ICP-Brasil, OU=Autoridade Certificadora Raiz Brasileira v10, CN=Autoridade Certificadora do SERPRO SSLv1
Linter: cablint
Issue: EV certificates must not include UID in subject
1 certificates with this lint issue under this CA.

Cert ID Not Before Not After Subject CN OneCRL Revoked Google Revoked Microsoft Revoked SHA-256 fingerprint
6047926269 2022-01-25 20:05:00 2023-01-25 20:05:00 C=BR, ST=DF, L=BRASILIA, O=CAIXA ECONOMICA FEDERAL, OU=c160a6f5-e5df-5067-9e97-ec6fba62fd87, serialNumber=00360305000104, CN=consentimento.openbanking.caixa.gov.br, businessCategory=Business Entity, jurisdictionC=BR, UID=d07cc967-abcd-4c35-942c-8e957e9e0ea4 False False False 79335fc0cf701de8a96be29f62739effcd53dede3be6d9b20f3b1f7cfd7919e1

Thanks

(In reply to Ben Wilson from comment #58)

Still awaiting resolution of OCSP errors - see https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br

http://ocsp.serpro.gov.br/acserprosslv1 (GET) returns a 404 error.
and
http://ocsp.serpro.gov.br/acserprosslv1 (POST) returns a 500 error.

We are waiting your return abour this "error" that you wrote to us:

"On Wed, Feb 23, 2022 at 3:16 PM Ben Wilson <bwilson@mozilla.com> wrote:
I get an error from your OCSP server that the OCSP request is "malformed". I will have to get help in determining the cause of that error message."

Thanks !

(In reply to Lucia Castelli from comment #63)

(In reply to Lucia Castelli from comment #60)

We are having a message below and this CA did not issue EV Certificates. Could you explain what is happening ?

Issuer Name: C=BR, O=ICP-Brasil, OU=Autoridade Certificadora Raiz Brasileira v10, CN=Autoridade Certificadora do SERPRO SSLv1
Linter: cablint
Issue: EV certificates must not include UID in subject
1 certificates with this lint issue under this CA.

CABLint is (mis)detecting https://crt.sh/?id=6047926269&opt=cablint and https://crt.sh/?id=6197337289&opt=cablint as EV certificates, due to the presence of the subject:jurisdictionCountryName field in both of them.

The subject:jurisdictionCountryName field was first defined by the EV Guidelines as a mandatory field for EV server certificates. At that time there were no standard CABForum certificate policy OIDs for DV, OV, IV, and EV server certificates, and so looking for the subject:jurisdictionCountryName field was the best (and perhaps the only) way to reliably determine whether or not a certificate was intended to be an EV server certificate.

However, since BR 7.1.4.2.2(j) permits "Other Subject Attributes" that have been "verified by the CA", it would appear that it's legitimate to include subject:jurisdictionCountryName in non-EV, BR-compliant certificates, and it seems that this is what ICP-Brasil has done here.

So I think what's needed here is for CABLint to be updated to treat the CABForum policy OIDs as a stronger indication of the intended certificate type.

CABLint is (mis)detecting https://crt.sh/?id=6047926269&opt=cablint and https://crt.sh/?id=6197337289&opt=cablint as EV certificates, due to the presence of the subject:jurisdictionCountryName field in both of them.

These certificates are not TLS serverAuth certificates but rather clientAuth. Given this, they are not in scope Mozilla Root Policy and the BRs, at least from a Mozilla Root Program standpoint.

Do you have any newer English version of the SERPRO SSL CPS? I believe that the last one I received was version 4.1 - dated June 2021.
Thanks,
Ben

Flags: needinfo?(lucia.castelli)

(In reply to Ben Wilson from comment #67)

Do you have any newer English version of the SERPRO SSL CPS? I believe that the last one I received was version 4.1 - dated June 2021.
Thanks,
Ben

Dear Ben, tha last one is 4.1: https://repositorio.serpro.gov.br/docs/CPS_SERPRO_SSL_CA.pdf

Thanks

Flags: needinfo?(lucia.castelli)

(In reply to Rob Stradling from comment #65)

CABLint is (mis)detecting https://crt.sh/?id=6047926269&opt=cablint and https://crt.sh/?id=6197337289&opt=cablint as EV certificates, due to the presence of the subject:jurisdictionCountryName field in both of them.

FYI, I've updated CABLint so that it no longer misidentifies these as EV certs.

(In reply to Rob Stradling from comment #69)

(In reply to Rob Stradling from comment #65)

CABLint is (mis)detecting https://crt.sh/?id=6047926269&opt=cablint and https://crt.sh/?id=6197337289&opt=cablint as EV certificates, due to the presence of the subject:jurisdictionCountryName field in both of them.

FYI, I've updated CABLint so that it no longer misidentifies these as EV certs.

Thank you !

Whiteboard: [ca-verifying] BW 2021-06-25 Comment #32 → [ca-cps-review] BW 2022-03-21

I'll begin reviewing CPS version 4.1 dated June 2021.

Flags: needinfo?(andrewzynho)

(In reply to Ben Wilson from comment #71)

I'll begin reviewing CPS version 4.1 dated June 2021.

Ok. Thank you !

Here are my brief comments to CPS v. 4.1 dated June 2021 (my more extensive set of comments were lost due to some type of computer error).

Section Number Comments
1.2.1. Revisions Note the Effective Date for each item in the table. Certificates created after each Effective Date are expected to be in compliance with the item. Make sure your CA is in compliance with each of these items. After careful consideration, indicate if your CA is fully compliant with all items in the table, or clearly indicate action that your CA is taking to improve compliance. Improvement needed - SERPRO needs to stay current with developments in the CA/Browser Forum and with Mozilla's Root Store Policy.
1.2.2. Relevant Dates Note the Compliance date for each item in the table. Those are the dates by which your CP/CPS and practices are expected to be updated to comply with the item. Make sure your CA is in compliance with each of these items. After careful consideration, indicate if your CA is fully compliant with all items in the table, or clearly indicate action that your CA is taking to improve compliance. Improvement needed - SERPRO needs to stay current with developments in the CA/Browser Forum and with Mozilla's Root Store Policy.
1.3.2. Registration Authorities Indicate whether your CA allows for Delegated Third Parties, or not. Indicate which sections of your CP/CPS specify such requirements, and how the CP/CPS meets the BR requirements for RAs. Need to fix Section 1.3.2.1 of the SERPRO CPS needs to state that domain validation is not delegated to third party registration authorities.
2.2 Publication of information - RFC 3647 "Effective as of 31 May 2018, the Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647." Need to fix Multiple section headings do not match the outline in the appendix of RFC 3647. These need to be fixed.
2.3. Time or frequency of publication "The CA SHALL ... annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements. Section 3.3 of Mozilla's Root Store Policy states: "CPs and CPSes MUST be reviewed and updated as necessary at least once every year, as required by the Baseline Requirements. CAs MUST indicate that this has happened by incrementing the version number and adding a dated changelog entry, even if no other changes are made to the document." Indicate your CA's policies/practices to ensure that the BRs are reviewed regularly, and that the CA's CP/CPS is updated annually. Should fix section 2.3.1 to state that the CP/CPS is republished and reversioned annually even if there are no changes.
3.2.2.4 Validation of Domain Authorization or Control Indicate which of the methods of domain validation your CA uses, and where this is described in your CP/CPS. See below
3.2.2.4.6 Agreed‐Upon Change to Website If your CA uses this method of domain validation, indicate where in the CP/CPS it is described, and how your CA meets the requirements in this section of the BRs. NEED TO REPLACE WITH UPDATED BR METHOD 3.2.2.4.18
3.2.2.4.18 Agreed‐Upon Change to Website v2 Move to here and re-phrase based on BR section 3.2.2.4.18
3.2.2.5 Authentication for an IP Address If your CA allows IP Addresss to be listed in certificates, *indicate which methods your CA uses* and how your CA meets the requirements in this section of the BRs. OUTDATED CROSS-REFERENCE - this method (3.2.2.4.18) cannot be used
3.2.2.6 Wildcard Domain Validation If your CA allows certificates with a wildcard character (*) in a CN or subjectAltName of type DNS‐ID, then indicate how your CA meets the requirements in this seciton of the BRs. OUTDATED CROSS-REFERENCE - this method (3.2.2.4.18) cannot be used - "This method is NOT suitable for validating Wildcard Domain Names."
4.3.1. CA Actions during Certificate Issuance
4.9.1.1 Reasons for Revoking a Subscriber Certificate Indicate which section in your CA's CP/CPS contains the list of reasons for revoking certificates. Reason 4 is missing - "The CA is made aware of a demonstrated or proven method that can easily compute the Subscriber’s Private Key based on the Public Key in the Certificate (such as a Debian weak key, see https://wiki.debian.org/SSLkeys);" Also, re-check section 4.9.1.1 of the Baseline Requirements to ensure that no other revocation reasons are missing.
4.9.2. Who Can Request Revocation SERPRO needs to accommodate third parties with a copy of the private key who can demonstrate key compromise and request revocation
4.9.10. On-line Revocation Checking Requirements Indicate how your CA meets all of the requirements listed in this section, including support of GET, update frequency, preventing erronious return of "good" status. I did not see where SERPRO states that it supports "GET" and does not respond "good" for a non-existent certificate serial number.
5.7.3 Key Compromise Mozilla and other root stores need to be notified if there is a compromise of the CA's private key
6.1.5. Key Sizes Need to specify
6.1.6. Public Key Parameters Generation and Quality Checking Need to specify (see BR section 6.1.6)
Whiteboard: [ca-cps-review] BW 2022-03-21 → [ca-cps-review] BW 2022-04-29 Comment #73

Ben, I already sent to CCADB a new version from the last revision that you did. Version 4.2 March, 2022
Could you check this version ? Thanks and best regards.

(In reply to Lucia Castelli from comment #74)

Ben, I already sent to CCADB a new version from the last revision that you did. Version 4.2 March, 2022
Could you check this version ? Thanks and best regards.

You can access the link with the new version at: https://repositorio.serpro.gov.br/docs/CPS_SERPRO_SSL_CA.pdf
Thanks

OK - somehow I missed that one. I'll take a closer look at version 4.2 and get back to you.

Priority: P3 → P2

Here are comments after a review of version 4.2 of the CPS:

Section Number Comment
1.3.2. Registration Authorities or 3.2.2.4 Validation of Domain Authorization or Control The SERPRO CPS should be more explicit and state that only SERPRO SSL CA performs the domain validation required by section 3.2.2.4 of the Baseline Requirements (BR) and that the task is never delegated to any third party.
3.2.2.4.18 Agreed‐Upon Change to Website v2 The explanation of the processes used to fulfill the requirements of BR section 3.2.2.4.18 are not sufficiently detailed. The CPS needs to provide a detailed explanation of the steps followed to perform the method "Agreed-Upon Change to Website".
3.2.2.5 Authentication for an IP Address This method should be based on BR 3.2.2.5.1 Agreed‑Upon Change to Website (not 3.2.2.4.18, even though they are very similar) , and the CPS needs sufficient explanation of how this occurs.
3.2.2.6 Wildcard Domain Validation This method (BR 3.2.2.4.18) cannot be used to issue Wildcard Certificates- BR 3.2.2.4.18 states, "This method is NOT suitable for validating Wildcard Domain Names."
4.9.1.1 Reasons for Revoking a Subscriber Certificate Reason 4 of BR 4.9.1.1 is missing - "The CA is made aware of a demonstrated or proven method that can easily compute the Subscriber’s Private Key based on the Public Key in the Certificate (such as a Debian weak key, see https://wiki.debian.org/SSLkeys);"
4.9.2. Who Can Request Revocation SERPRO needs to accommodate revocation requests by third parties who have a copy of the private key and who can demonstrate key compromise.
4.9.12 Special Requirements Related of Key Compromise This section 4.9.12 needs to explain how someone with possession of the private key can demonstrate that the private key has been compromised. See https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#6-revocation.
5.7.3 Key Compromise Mozilla and other root stores need to be notified if there is a compromise of the SERPRO SSL CA private key.

Thanks Ben, I will check again !

(In reply to Ben Wilson from comment #77)

Here are comments after a review of version 4.2 of the CPS:

Section Number Comment
1.3.2. Registration Authorities or 3.2.2.4 Validation of Domain Authorization or Control The SERPRO CPS should be more explicit and state that only SERPRO SSL CA performs the domain validation required by section 3.2.2.4 of the Baseline Requirements (BR) and that the task is never delegated to any third party.
3.2.2.4.18 Agreed‐Upon Change to Website v2 The explanation of the processes used to fulfill the requirements of BR section 3.2.2.4.18 are not sufficiently detailed. The CPS needs to provide a detailed explanation of the steps followed to perform the method "Agreed-Upon Change to Website".
3.2.2.5 Authentication for an IP Address This method should be based on BR 3.2.2.5.1 Agreed‑Upon Change to Website (not 3.2.2.4.18, even though they are very similar) , and the CPS needs sufficient explanation of how this occurs.
3.2.2.6 Wildcard Domain Validation This method (BR 3.2.2.4.18) cannot be used to issue Wildcard Certificates- BR 3.2.2.4.18 states, "This method is NOT suitable for validating Wildcard Domain Names."
4.9.1.1 Reasons for Revoking a Subscriber Certificate Reason 4 of BR 4.9.1.1 is missing - "The CA is made aware of a demonstrated or proven method that can easily compute the Subscriber’s Private Key based on the Public Key in the Certificate (such as a Debian weak key, see https://wiki.debian.org/SSLkeys);"
4.9.2. Who Can Request Revocation SERPRO needs to accommodate revocation requests by third parties who have a copy of the private key and who can demonstrate key compromise.
4.9.12 Special Requirements Related of Key Compromise This section 4.9.12 needs to explain how someone with possession of the private key can demonstrate that the private key has been compromised. See https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#6-revocation.
5.7.3 Key Compromise Mozilla and other root stores need to be notified if there is a compromise of the SERPRO SSL CA private key.

We did another revision and produced o new version that you can get at https://repositorio.serpro.gov.br/docs/CPS_SERPRO_SSL_CA_4.0.pdf Thanks

(In reply to Ben Wilson from comment #29)

I ran the revocation test using https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br and encountered an OCSP error (404 Not found) for "http://ocsp.serpro.gov.br/acserprosslv1". Here is the error response: "Error parsing OCSP response: asn1: structure error: tags don't match (16 vs {class:0 tag:28 length:33 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} responseASN1 @2"

This will need to be fixed.

Then, running the lint test for the CA (https://crt.sh/?caid=194400), using this URL:
https://cachecker-dot-ccadb-231121.appspot.com/summary/194400?max_depth=-1&start=2020-03-12&end=2021-06-02&z_lint=on&cab_lint=on&x509_lint=on
There were the following number of certificates with these errors:
18 Organization Name Too Long (MUST be less than 65 characters)
526 Invalid SAN entries (MUST be FQDN or ipAddress)
1 IP address in dns name
10 DNSName was not an FQDN

These certificates will need to be revoked/replaced and the error-causing conditions will need to be corrected.

About this comment, would like to advise that all certificates with these errors, some certificates were expired others revoked, so there are no more non-standard certificates. Thanks.

I would like to ask which are the documents that we need to keep on the CA URL ? I mean(CP, CPS) and ? Thanks.

(In reply to Lucia Castelli from comment #81)

I would like to ask which are the documents that we need to keep on the CA URL ? I mean(CP, CPS) and ? Thanks.

For most CAs, the CP and CPS for the root CA and any CP and CPS for issuing CAs that are in the chain for either TLS/SSL certificate or S/MIME certificate issuance. Are the CPs and CPSes for the Brazilian root CA regularly stored and retrievable? If so, could you provide a link to those?

The CPS for the Brazilian root CA regularly stored and retrievable at:

http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf

Thanks !

Before I can move this into the public discussion phase, SERPRO will need to provide a Value-vs-Risk justification. See https://wiki.mozilla.org/CA/Quantifying_Value

Flags: needinfo?(lucia.castelli)
Whiteboard: [ca-cps-review] BW 2022-04-29 Comment #73 → [ca-ready-for-discussion 2022-08-08]

(In reply to Ben Wilson from comment #84)

Before I can move this into the public discussion phase, SERPRO will need to provide a Value-vs-Risk justification. See https://wiki.mozilla.org/CA/Quantifying_Value

I will provide a Value-vs-Risk Justification in 2 days. Thanks

Flags: needinfo?(lucia.castelli)
Attached file Value vs Risk_SERPRO_SSL_CA.pdf (obsolete) —

#comment 84
We provided a Value-vs-Risk justification. It is attached.

I did a quick read of the Value vs Risk document provided. My first impression is that some responses are a bit "vague" but the most important one is the answer to question 9 "To what extent have CA personnel reviewed the CA incidents that have been reported in Bugzilla over the past several years? How have systems been designed to avoid similar mistakes".

The intent of this question was for candidate CAs to review past mistakes by other CAs (i.e. review all closed bugs under the "ca-compliance" tag) and build their processes in a way that these mistakes are not repeated. SERPRO SSL CA seems to have misunderstood the question because the answer does not cover what specific areas of past incidents were reviewed and how their current systems are designed/implemented to avoid past mistakes done by other CAs.

(In reply to Dimitris Zacharopoulos from comment #87)

I did a quick read of the Value vs Risk document provided. My first impression is that some responses are a bit "vague" but the most important one is the answer to question 9 "To what extent have CA personnel reviewed the CA incidents that have been reported in Bugzilla over the past several years? How have systems been designed to avoid similar mistakes".

The intent of this question was for candidate CAs to review past mistakes by other CAs (i.e. review all closed bugs under the "ca-compliance" tag) and build their processes in a way that these mistakes are not repeated. SERPRO SSL CA seems to have misunderstood the question because the answer does not cover what specific areas of past incidents were reviewed and how their current systems are designed/implemented to avoid past mistakes done by other CAs.

We did a revision at question 9. We will attached again. Thank you.

Attached Value vs Risk_SERPRO_SSL_CA after revised question 9. Thank you.

Attachment #9289690 - Attachment is obsolete: true

Thank you for the update. Can you please explain why out of all the closed and open issues having been reported in bugzilla, you chose to report these three in particular?

(In reply to Dimitris Zacharopoulos from comment #90)

Thank you for the update. Can you please explain why out of all the closed and open issues having been reported in bugzilla, you chose to report these three in particular?

In our last audit, these 3 topics were reasons to demonstrate to the auditors how "we are careful" to avoid these occurrences. We have received all notices for all CAs(NSS) and therefore we will not be able to verify, exactly where we have verified such nonconformities earlier., but we know that these are items that we must take care to issue certificates within the compliance of the CA\Browse Forum

One very common area of CA mistakes is invalid localityName and stateOrProvinceName values. Another very common area was responding to revocation requests. Can you please share some more information how your systems/practices are designed to handle those two areas?

(In reply to Dimitris Zacharopoulos from comment #92)

One very common area of CA mistakes is invalid localityName and stateOrProvinceName values. Another very common area was responding to revocation requests. Can you please share some more information how your systems/practices are designed to handle those two areas?

Locality:
Regarding the Locality field, we have a fixed list that the user only selects one of the options, minimizing the possibility of error.

State:
The filling is manual and special characters and accents are not allowed and there is a validation by the Registry Agent before issuing the certificate

Revogation:
it is performed at the request of the person, the system authenticates the access data to the request.

Why doesn't the Locality solution (a fixed list, which I assume is validated by your validation specialists), also apply to the stateOrProvinceName case?

"special characters and accents" should also be checked for the locality case, correct?

Revocation: If you read the corresponding issues in bugzilla, the biggest challenge was not the revocation of 1-2 certificates or a revocation triggered by individual subscribers, but to perform mass-revocations, triggered by the CA within the time-frames required in section 4.9.1.1 an 4.9.1.2 of the BRs. What measures do you have in place to be in a position to revoke such certificates in case such a mass-revocation event comes up?

(In reply to Lucia Castelli from comment #93)

(In reply to Dimitris Zacharopoulos from comment #92)

One very common area of CA mistakes is invalid localityName and stateOrProvinceName values. Another very common area was responding to revocation requests. Can you please share some more information how your systems/practices are designed to handle those two areas?

Locality:
Regarding the Locality field, we have a fixed list that the user only selects one of the options, minimizing the possibility of error.

State:
The filling is manual and special characters and accents are not allowed and there is a validation by the Registry Agent before issuing the certificate

Revogation:
it is performed at the request of the person, the system authenticates the access data to the request.

The answer was inverted.

Please, consider the answers below:
Locality:

Regarding the Locality field, because we have more than 5,500 cities, the filling is manual and special characters and accents are not allowed and there is a validation by the validation specialists before issuing the certificate; we also use document to prove the address or using code poste to prove it.
State:
we have a fixed list that the user only selects one of the options, minimizing the possibility of error and and there is a validation by the validation specialists, before issuing the certificate.

(In reply to Dimitris Zacharopoulos from comment #94)

Why doesn't the Locality solution (a fixed list, which I assume is validated by your validation specialists), also apply to the stateOrProvinceName case?

"special characters and accents" should also be checked for the locality case, correct?

Revocation: If you read the corresponding issues in bugzilla, the biggest challenge was not the revocation of 1-2 certificates or a revocation triggered by individual subscribers, but to perform mass-revocations, triggered by the CA within the time-frames required in section 4.9.1.1 an 4.9.1.2 of the BRs. What measures do you have in place to be in a position to revoke such certificates in case such a mass-revocation event comes up?

. Why doesn't the Locality solution (a fixed list, which I assume is validated by your validation specialists), also apply to the stateOrProvinceName case? Yes, we do. At first moment the answer was inverted...
. "special characters and accents" should also be checked for the locality case, correct? Yes, from both fields.
. Mass - Revocations: A process of identification and selection of these certificates is established and based on the applicant's contact information (e-mail and telephone), the need for revocation is informed, which is carried out upon and after the installation of the new certificate and we proceed with the revocation of the previous certificate.

Product: NSS → CA Program
Summary: Add Autoridade Certificadora do Serpro SSL → Add Autoridade Certificadora do Serpro SSLv1
Whiteboard: [ca-ready-for-discussion 2022-08-08] → [ca-in-discussion] 2022-11-17

A six-week period of public discussion has been announced here on the CCADB Public List, https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/VVoTWfmQHgAJ. The public discussion period will close on or about December 31, 2022.

The public discussion period was continued with a restart date of March 1, 2023 - https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/MhxJXipVAwAJ

Closing per request of Applicant - see https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/eZDA1BKiAAAJ

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: