Closed Bug 1700145 Opened 3 years ago Closed 3 years ago

Firmaprofesional: incorrect reserved CA/B Forum OIDs in certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: chemalogo, Assigned: chemalogo)

Details

(Whiteboard: [ca-compliance] [ov-misissuance] [ev-misissuance])

Attachments

(1 file)

Affected SSL for typo in OID issue
241.81 KB, application/vnd.ms-excel
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36

Steps to reproduce:

Look into SSL certificates issued by Firmaprofesional after Setembre 30th 2020

Actual results:

Although Firmaprofesional was diligent on dates for the addition of mandatory CA/B Forum OIDs to SSL certificate profiles, we make a typo defining the new profile.

Expected results:

SSL certificates issued by Firmaprofesional should contain the correct CA/B forum reserved OIDs.

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

March 22nd: 9:25 am: During the preparation of a set of certificates and evidence to be sent to the external auditor of our annual audit, our internal audit team discovered a typo in the CA/B Forum OIDs of our SSL certificates.

The typo is as follows:

  • For our SSL-OV certificates we were including the OID 2.13.140.1.2.2 instead of the 2.23.140.1.2.2
  • For our SSL-EV certificates we were including the OID 2.13.140.1.1 instead of the 2.23.140.1.1

The CA issuing the certificates are "AC Firmaprofesional - Secure Web 2020" (https://crt.sh/?CAid=180582) and "AC Firmaprofesional - Secure Web 2021" (https://crt.sh/?CAid=202947)

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

March 22nd:
09:25 am: discovery of the mistake

09:30 am: the issuance of SSL certificates is stopped

09:50 am: profiles updated in CA software

10:00 am: Research of affected certificates.

Due to the nature of the mistake and the issuance of all certificates because of bug “Firmaprofesional: Incorrect OCSP Delegated Responder Certificate” (https://bugzilla.mozilla.org/show_bug.cgi?id=1649943), all certificates issued by "AC Firmaprofesional - Secure Web 2020" (https://crt.sh/?CAid=180582) are affected. We will provide a comprehensive list of the certificates.

There are also certificates issued by "AC Firmaprofesional - Secure Web 2021" (https://crt.sh/?CAid=202947), the 2021 SubCA substituting by "AC Firmaprofesional - Secure Web 2020".

11:30 am: Update of document of certificate profiles, fixing the typo.

12:00 am: Issuance of certificates is restored and beginning of reissuance of affected certificates and communications with customers, Supervisory Body and other stakeholders.

3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

Firmaprofesional stopped the issuance of certificates affected by the mistake on March, 22nd, 9:30 am.

4. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

  • Total number of affected certificates: 587

  • Date of first affected certificate issued by "AC Firmaprofesional - Secure Web 2020" (https://crt.sh/?CAid=180582): Oct, 6th 2020

  • Date of last affected certificate issued by "AC Firmaprofesional - Secure Web 2020" (https://crt.sh/?CAid=180582): March, 18th 2021

  • Date of first affected certificate issued by AC Firmaprofesional - Secure Web 2021" (https://crt.sh/?CAid=202947): March, 18th 2021

  • Date of last affected certificate issued by AC Firmaprofesional - Secure Web 2021" (https://crt.sh/?CAid=202947): March, 18th 2021

5. In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

Find attached a list with all the problematic certificates.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Although Firmaprofesional was diligent on dates for the addition of mandatory CA/B Forum OIDs to SSL certificate profiles, we make a typo defining the new profile.

This happened due to a lack of peer-review in the deployment of such change: one person from the Compliance department proposes the change, that is approved by the steering committee to be included in the public document of certificate profiles, then one person from the Technical department gathered this information from that document and implemented the change in a pre production environment and sends samples to the same Compliance person.

Additionally, although Firmaprofesional implements automated certlint validations previous to the issuance of certificates, certlint did not return any mistake. Please, understand that this is not an excuse at all, but a warning so other CAs can learn from our mistakes. We have to go further with automated validations.

Due to the fact that is a small typo in an OID not detected automatically, it also passed our quarterly internal audit, for Q4-2020. We will also require validation of the samples against the last version of certlint and zlint.

7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

March 22nd:

  • 09:30 am: the issuance of SSL certificates is stopped
  • 09:50 am: profiles updated in CA software

Regarding the root cause we will define a new procedure, more time-consuming but also far more reliable consisting on:

  1. Person A of the Compliance department applies for a change, with information of: the change itself, why it is necessary, time to be on production, the original source of the requirement.
  2. Person 1 of the Technical department deploys the change in pre production environment and makes samples that will add to the previous tiquet.
  3. Person B of Compliance gets the ticket, checks the changes in the documentation and the samples and against the original source.
  4. If everything is right, then the changes are sent to the Quality and Security Committee to approve its deployment in production environments.

Additionally we will improve the automatic verifications previous to issuance:

  1. Adding zlint verifications. Estimated date: 21st April, 2021
  2. Implementing a self updating certlint and zlint environment to use always last certlint libraries (via dockerization). Estimated date: 19th May, 2021

Finally, we will improve the quarterly internal audits making it necessary to verify against the last version of zlint and certlink libraries.

Assignee: bwilson → chemalogo
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true

Additional information regarding steps to be taken.

Firmaprofesional has informed its clients of the need of revocation of the affected certificates.

Firmaprofesional will revoke all affected certificates within 5 days, from the discovery of the finding.

This morning, the remaining affected certificates have been revoked. Last revocation at 2021-03-27 07:02:10 UTC.

Whiteboard: [ca-compliance]

Zlint verifications already added to production environment.

Implementation of a self updating certlint and zlint environment to use always last certlint libraries (via dockerization) already done as well as the improvement of quarterly internal audits making it necessary to verify against the last version of zlint and certlink libraries.

With these we have finalized all the tasks identified in this ticket.

I believe this ticket can be closed and will call it up on this Friday 11-June-2021 for closure.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance] [ev-misissuance]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: