1704199 - FNMT: Minor non-conformities in 2021 audit statement

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Ben Wilson]

Attachment: 2020 AENOR Anexo 1 ETSI 319 411-2 PSC-2019-003 - FNMT-v2.pdf

Audit Findings scheduled for remediation include:

• Section 3.2 of the CP/CPS should URL where Incorporating Agency information can be found
• Section 6.2 - Compliance with Spanish Law - qualified certificates for natural person - N/A
• Section 6.3 - automated dual controls needed for older hierarchies issuing EV
• Section 6.4 - all trusted roles need to sign trusted roles assignment
• Section 6.6 - CABF OIDs required for certificates issued after 9/30/2020

Comment 1

[Brox]

#1 - Section 3.2 of the CP/CPS should URL where Incorporating Agency information can be found
#2 - Section 6.2 - Compliance with Spanish Law - qualified certificates for natural person - N/A
#3 - Section 6.3 - automated dual controls needed for older hierarchies issuing EV
#4 - Section 6.4 - all trusted roles need to sign trusted roles assignment
#5 - Section 6.6 - CABF OIDs required for certificates issued after 9/30/2020

Please find herewith incident report for the audit findings from the annual audit which took place from January 25th to February 5th
Incident reports for findings #2 and #5 have been already posted in Bugzilla’s:
#2: https://bugzilla.mozilla.org/show_bug.cgi?id=1693304
#5: https://bugzilla.mozilla.org/show_bug.cgi?id=1696872

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
   #1, #3, and #4: These findings resulted from the preliminary audit report of 5/02/2021 for the annual audit which took place from January 25th to February 5th.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
   #1:

• September 24th, 2020 – Creation and publication of “List of Registration Agencies” v.1.0 at https://www.cert.fnmt.es/registro/utilidades to comply with 11.1.3 EV guidelines v.1.7.3.
• February 10th 2021 –Creation of new CPS versions for “AC Administración Pública” and “AC Servidores Seguros” to include the URL where the “List of Registration Agencies” was being publicly disclosed.
• February 18th 2021 – Approval and publication of the new CPS versions (section 3.2.2.):
  CERTIFICATION PRACTICES AND POLICIES STATEMENT ON WEBSITE AUTHENTICATION CERTIFICATES v.1.7 (AC Servidores Seguros) https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf
  and
  CERTIFICATION PRACTICES AND POLICIES STATEMENT ON QUALIFIED ELECTRONIC VENUE CERTIFICATES v.1.5 (AC Administración Pública) https://www.sede.fnmt.gob.es/documents/10445900/10745629/DPC_Sedes_english.pdf

#3:

• February 5th 2021 – Preliminary audit report determines that the current procedure does not enforced "automated" rigorous control procedures for the separation of validation duties.
  The referred procedure consist of:
  Prior to the approval and later issuance of these certificates (QCP-w AC Adminsitracion Pública), it is required to document the validation and approval tasks in a “validation checklist” which is electronically signed by the 2 different validation specialists carrying out the required validations (first by an officer with a “validation role” and then, upon compliance, by a different officer with an “approver role”).
  These checklists collects all the verified information, the validations performed, the sources used and their result. The signed checklists are registered and kept as part of the validation evidences for each certificate and made available for both internal and external audits. No certificate is issued without a checklist being compliant and having been signed by both validation specialists.
  Then, the officer which performed the “approver role” for such certificate, authenticates himself within the application in charge to communicate with “AC Administración Pública” (Aplicación de Registro 3.0) to request the issuance of the certificate.
• February 15th 2021 – TSP Management Committee decides to improve the current procedure by implementing an additional technical "automated" control over the RA application for AC Administración Pública.
• February 22th 2021 – Functional analysis for the development and implementation of changes in the current application (Aplicación de Registro 3.0) to add the status: “Pending validation”, “Pending approval” and “Approved”, within the management flow for the website certificates issued by “AC Adminsitracion Pública” and to keep register of the identity of each of the validation specialists involved in each stage.
  Once all the corresponding verifications are performed by 1 validation specialist with the role of “validator”, a request in “Pending validation” status will be processed and changed to “Pending approval” status.
  In order to go on, the application will verify that only a different validation specialist will perform (with the role of “approver”) the required dual verifications and to change the “Pending approval” request to an “Approved” status. Only then, “AC Administración Pública” will issue the related certificate.
• March 25th 2021 – Functional final tests within development environment.
• April 6th 2021 – Request for changes to pre-production environment and testing.
• June 2021 - Final user testing and production deployment.

#4:

• December 15th, 2020: A new version of the "Act for Trusted Roles Assignment" document was generated to update the appointments and include new officers.
• February 5th 2021: Assignment document review. There were 3 missing signatures for personnel who were at the moment in a work permit.
• March 5th, 2021: All the necessary assignments and acceptance signatures are finally collected and sent to the audit team as evidence of the resolution of this finding.

3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.
   #1: No certificates were involved and services have not been stopped. The issue has been completely resolved on February the 18th, 2021.

#3: No certificates have been issued without dual validation. Services have not been stopped. The automated control will be deployed on June, 2021.

#4: No certificates were involved and services have not been stopped. The issue has been completely resolved on March 5th, 2021.

4. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.
   #1: No certificates were involved. Failure to comply with the requirement of including the URL of the already published and disclosed “List of Registration Agencies” in our CPSs
   #3: No certificates have been issued without dual validation. The audit team considered necessary to enforce an automated control for the separation of validation duties for the validation of website certificates issued by “AC Administración Pública”.
   #4: No certificates were involved. At the time of the audit, the "Act for Trusted Roles Assignment" document was not signed by all parties.

5. In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.
   #1, #3, and #4: N/A

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
   #1: On 24/09/2020 and in order to comply with EV Guidelines v.1.7.3, section 11.1.3, we generated and published the first version for the document that discloses the registration agencies sources used by the FNMT’s RA at https://www.cert.fnmt.es/registro/utilidades.
   Since all the related CPS for the QCP-w certificates already indicated in section 3.2.2. information in regards the sources which were used to carry out the validations by the FNMT’s RA, by publishing this new information on our website, it was considered that we were fully complying with the provisions of section 11.1.3. We misunderstood and failed to comply with the requirement of including the URL of such document in our CPSs.

#3: The audit team has considered that the current process does not completely guarantee that an officer, acting against the established procedure, may validate and approve the issuance of a certificate without the prior validation of another officer. This problem has never happened and no deviation has ever been identified in this regard, however, the current procedure will be improved by implementing a new version of “Aplicación de Registro 3.0” enforcing an automated dual control.

#4: On December 15, 2020, a new version of the document "Trusted Roles Assignment Act" was generated to update the assignments. At the date of the audit, the update document was pending to be signed by 3 trusted roles previously assigned. The missing signatures belonged trusted roles who had not been active for a considerable period of time.

7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
   Date: / Status: / Action:
   #1:

• 18/02/2021 – Completed: Approval and publication of the new CPS versions which includes the link to the “List of Registration Agencies”
• Quarterly – Review the list of sources used for the RA validations, and update and publish the new version if applicable.
  #3:
  June/2021 – Programed: Deployment in production of the changes developed in Aplicación de Registro 3.0 to provide the current procedure with automated dual control in regards the validation of the QCP-w certificates issued by AC Administración Pública.
  #4:
• 15/02/2021 - Completed: To prevent this from happening again, the TSP Management Committee established a quarterly review of the appointments of all trusted roles. This way, in case any updates are required, it will be possible to collect acceptance from all parties in a timely manner.

Comment 2

[Ben Wilson]

If there are no questions or clarifications needed, I think this bug can be closed on Friday, 30-April-2021.