Closed Bug 1688844 Opened 3 years ago Closed 3 years ago

NetLock: Delayed revocation report connected to ticket 1680378

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: varga.viktor, Assigned: varga.viktor)

Details

(Whiteboard: [ca-compliance] [leaf-revocation-delay])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36

Steps to reproduce:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

In the ticket https://bugzilla.mozilla.org/show_bug.cgi?id=1680378 in the Comment 4 Mr. Ryan Sleevi asked for independent revocation ticket.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

As it was written in the mentioned ticket, the timeline is the following:
2020-11-20 Certificate profile problem was identified, the issuance was stopped.
2020-12-01 Replacement certificates were issued.
2020-12-07 All the infected certiticates were revoked, except one
2020-12-31 The last certificate was revoked.

  1. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

This report was made about the delayed revocation, not the certificates.
At the time of report, the process was finished.

  1. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

This report was made about the delayed revocation, not the certificates.

  1. In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

This report was made about the delayed revocation, not the certificates.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Due to the special situation of the certificates (PSD2 payment services), we have predicted the expected deadlines in the ticket, assuming a negative response if this discrepancy is not allowed.

  1. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

NETLOCK will modify the inner RA/CA policy (that contains the exact operative instructions of certificate issuance and revocation) to clarify and make less confused the requirements for revocing incorrect or improperly issued certificates.
Amendments involve the following rules:
• If any NETLOCK’s unit marks a certain certificate or a group of certificates as incorrect, RA/CA Unit shall check if the indicated error is valid or not.
• If the indicated error is valid, RA/CA Unit shall check if that certain error is a revocation circumstances or not.
• If the revocation officer is not able to identify the error based on the available information, officer shall consult with the Compliance Unit. In this case Compliance Unit shall do the best to fully inform the Revocation Officer about error in question to help the officer make the right decision.
• In case of uncertainty, Revocation Officer shall revoke the certificate(s).
• There is no exception on the revocation in less than 24 hours/5 days (depending on the case).

Assignee: bwilson → varga.viktor
Type: defect → task
Whiteboard: [ca-compliance] [delayed-revocation-leaf]
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: Delayed revocation report connected to ticket 1680378 → Netlock: Delayed revocation report connected to ticket 1680378

There is no exception on the revocation in less than 24 hours/5 days (depending on the case).

Thanks. It's encouraging to see this affirmatively and unambiguously stated.

Flags: needinfo?(bwilson)

I'll schedule this to be closed on or about next Wednesday, 14-Apr-2021, unless there are other issues to discuss.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Summary: Netlock: Delayed revocation report connected to ticket 1680378 → NetLock: Delayed revocation report connected to ticket 1680378
Whiteboard: [ca-compliance] [delayed-revocation-leaf] → [ca-compliance] [leaf-revocation-delay]
You need to log in before you can comment on or make changes to this bug.