Closed Bug 1693113 Opened 5 years ago Closed 3 years ago

Camerfirma: SMIME Improvement Plan

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bwilson, Assigned: bwilson)

Details

Attachments

(3 files)

CAMERFIRMA_Plan_SMIME.pdf
279.07 KB, application/pdf
Details
Mozilla Action Plan Report_Jun2020_EN_v2.pdf
319.87 KB, application/pdf
Details
SMIME Improvement Plan progress update
207.77 KB, application/pdf
Details

This Bugzilla entry is for Camerfirma's documentation of its SMIME Improvement Plan and other items related to communications following discussion of issues.

Assignee: kwilson → bwilson
Status: NEW → ASSIGNED

The attached document sets forth the actions identified by Camerfirma to further improve current practices in the management of SMIME certificates.
All our processes related to the issuance and management of S/MIME certificates are regulated under eIDAs, audited on a yearly basis and supervised by the Spanish National Supervisor Body. In any case, we want to take advantage of this opportunity to further improve our processes and procedures and implement every best practice developed within our community.

SMIME Improvement Plan progress updates:

  1. Processes automation
    4.1 Control of outlier activity patterns.
    In progress:
    Since March 5th, alerts are received in case of revocations made on certificates with less than one month of life at that moment. Those alerts are received by the PKI team and analyzed to detect suspicious actions.
    We continue working to be able to reduce this period, but at this early stage we have preferred to extend it, in order to have a broader view of the cases that occur.
    Also, we are working to define the words that we will include in a dictionary of invalid terms to check the words in the requests and discard the ones that include any of them.

To be done:
Development of processes to send alerts automatically in case of anomalous activity related to any SMIME certificate.

No schedule deviations.

4.2. Implement standardized / normalized values in certificate attributes to avoid human errors
In progress:
We are analyzing possible automatic values for some attributes to choose predetermined values to fill those fields avoiding human errors with names.

No schedule deviations.

4.3. Post issuance control:
To be defined
No schedule deviations.

  1. Contractual obligations - Insource the management of all the operational activities of the intermediate CAs
    In progress:
    We initiated the communications with the SubCAs and RAs to obtain all the needed information to begin the analysis for the following points:
  • Insource or close SubCAs.
  • Self-assessment to assure all practices are being followed by all external entities.

To be done:

  • Periodic RA risk-based audit plan.
  • Review coherence of all CPS and contracts with the external entities.

No schedule deviations.

  1. Compliance - Audit of the totality (100%) of the certificates issued
    In progress:
  • BBDD updating with the correct information about CAs and kind of certificates. Performing a second revision.
  • We will audit the totality of the certificates issued using the verification tool to be developed. We already asked the SubCAs for the general data about active certificates and we will start the analyses at the end of the month after stablished the planification for each group of certificates.
  • Audit of the email validation process. We sent the request for this information to the SubCAs and we are waiting for the response to study every case.

No schedule deviations.

  1. Communication, transparency, and presence - Proactive involvement in the SMIME Certificate Working Group
    In progress:
    We already follow all the SMIME Certificate Working Group news and updates and we have attended all CAB FORUM meetings since the F2F #52 that took place on March 2nd

No schedule deviations.

  1. Administrative Operations - Improved management of CCADB
    In progress:
  • Periodic CCADB reviews - CCADB updated with the last CPS and audits for the SubCAs. We continue working to maintain everything properly updated.
  • Community consultation - Two people are following the advance of the requirements that will be established for SMIME certificates. We are in contact with some community members to ask them some questions about CCADB and resolution plans that we have not finished yet.
  • Working group with SubCAs - We have stablished a fluent communication channel with the SubCAs to work together in the matters that we have in common with each one.

No schedule deviations.

Please find attached the SMIME Improvement Plan progress updates document.

SMIME Improvement Plan progress update

Flags: needinfo?(bwilson)

Please find attached the SMIME Improvement Plan progress updates document.

Flags: needinfo?(bwilson)

Regarding the point "Insource the management of all operational activities of intermediate Cas", on September 28th we revoked the intermediate CA, DigitalSign Primary CA.

The reason for the delay in revocation is that DigitalSign asked us for waiting for the inclusion of their new subCA in the AATL.

The new DigitalSign CA is "CN = DIGITALSIGN CA G1,O = DigitalSign Certificadora Digital,C = PT" with serial number 09ff95fcf1b7680c2388fb2212da0d6e8adf5eff and is already included in AATL.

Product: NSS → CA Program

I am going to close this next Wed. 18-January-2023 unless there are any issues or questions that need to be addressed.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: