Amazon Trust Services: CP/CPS does not specify key compromise methods
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: agwa-bugs, Assigned: trevolip)
Details
(Whiteboard: [ca-compliance] [policy-failure])
The Mozilla Root Store Policy version 2.7.1, effective May 1, 2021, states in section 6:
Section 4.9.12 of a CA's CP/CPS MUST clearly specify the methods that parties may use to demonstrate private key compromise.
Amazon Trust Services' current CP and CPS are:
https://www.amazontrust.com/repository/cp-1.0.9.pdf
https://www.amazontrust.com/repository/cps-1.0.10.pdf
Neither document specifies methods for demonstrating private key compromise in section 4.9.12.
Comment 1•3 years ago
|
||
This may be premature, since Amazon indicated in its response to Item 7 of the April 2021 CA Survey that they would publish a new CPS by 2021 July 30.
Comment 2•3 years ago
•
|
||
Ben: Could you clarify - does this mean that responses to Mozilla CA Communications may be used to excuse a CA from complying with Mozilla Policy?
For example, I don't see a response from Amazon indicating the intentional non-compliance in Item 1 of the April 2021 CA Communication.
It sounds like you're saying Mozilla finds the answers to Item 7 as reasonable exceptions to the policy, and that, for example, ComSign's delay of one year (2022 Apr 26) is seen as acceptable, just like Microsoft's delay to 2021 Oct 2.
Similarly, with respect to Item 9, we see CAs indicating they do not plan to comply with (existing) CCADB and Mozilla policies until 2022, such as TWCA. Should Comment #1 be interpreted as Mozilla saying such non-compliance is acceptable?
Are there any other sources that the community should review to understand where Mozilla may have granted exceptions to Mozilla Root Store Policy and/or CCADB policy? This might help reduce the churn of bugs.
Comment 3•3 years ago
|
||
I agree that we should be more specific on our interpretation / handling of various responses to the CA survey, and I would like to avoid a churn of bugs. It's just that we came out with the policy revisions knowing that in some instances (e.g. those requiring CPS revisions), that compliance was not going to happen overnight.
Updated•3 years ago
|
Comment 4•3 years ago
|
||
(In reply to Ben Wilson from comment #3)
It's just that we came out with the policy revisions knowing that in some instances (e.g. those requiring CPS revisions), that compliance was not going to happen overnight.
Would it be better to discuss this on m.d.s.p. then? I think, given the responses, there's a high likelihood of other incidents being filed (either now or in the coming months), so it'd be good to have a record of that. It may also make Amazon's responses easier to understand when the expectations are clear.
Comment 5•3 years ago
•
|
||
Yes - let's discuss this on m.d.s.p. Give me a few hours to prepare something to start the discussion.
Assignee | ||
Comment 6•3 years ago
|
||
Amazon Trust Services acknowledges this bug. The plan to fix it was included in the April 2021 CA Communication (https://wiki.mozilla.org/CA/Communications#April_2021_CA_Communication): The specified methods for parties to demonstrate key compromise will be moved from its current CPS location (Section 1.5.2) to Section 4.9.12 by 7/30/2021. Per feedback in this bug, we will watch for further discussion on MDSP regarding Mozilla’s broader policy and expectations for committed fixes like this with a future completion date to see if other steps will be taken on this specific bug
Assignee | ||
Comment 7•3 years ago
|
||
Amazon Trust Services is monitoring the conversation on MDSP regarding this topic.
Assignee | ||
Comment 8•3 years ago
|
||
Amazon Trust Services is monitoring the conversation on MDSP regarding this topic. We will complete our CP/CPS updates by 7/30/2021 as previously communicated.
Assignee | ||
Comment 9•3 years ago
|
||
Amazon Trust Services is monitoring the conversation on MDSP regarding this topic. We will complete our CP/CPS updates by 7/30/2021 as previously communicated.
Comment 10•3 years ago
|
||
Trev: Can you share more details about why it takes so long to update the CP/CPS?
Assignee | ||
Comment 11•3 years ago
|
||
There is nothing preventing us from updating our CP/CPS sooner. In this particular instance, we selected a date that aligned with a previously planned review and update of the CP/CPS.
Comment 12•3 years ago
|
||
Amazon Trust Services is monitoring the conversation on MDSP regarding this topic. We will complete our CP/CPS updates by 7/30/2021 as previously communicated.
Comment 13•3 years ago
|
||
Ben: For your next-update of 2021-07-30.
I'm not at all encouraged by the delays, or explanation, but it is what it is.
Updated•3 years ago
|
Comment 14•3 years ago
|
||
Amazon Trust Services acknowledges this feedback. Based on the previous request for dates in the April 2021 CA Communications and the clarifying discussion in MDSP where Mozilla indicated that the compliance date for this item was 7/31/2021, we’ve been treating the time frame for complying with this issue similar to compliance with the restriction to stop reusing validation information older than 398 days (which also has a future date of 10/1/2021).
Comment 15•3 years ago
|
||
On 7/23/21, Amazon Trust Services published updated CP and CPS documents, which addressed this issue.
Comment 16•3 years ago
|
||
Amazon Trust Services continues to monitor this issue for any further comments or questions.
Reporter | ||
Comment 17•3 years ago
|
||
The only change to section 4.9.12 in either document is the addition of this paragraph to the CPS:
Contact information for reporting private key compromise can be found at:
https://www.amazontrust.com/repository/
I don't think MRSP permits the methods of demonstrating private key compromise to be incorporated by reference, but even if it did, the above page (archive for posterity) does not appear to list any methods for demonstrating private key compromise.
Comment 18•3 years ago
|
||
I don't think MRSP permits the methods of demonstrating private key compromise to be incorporated by reference [...]
I agree with Andrew here; the BR are quite clear that the instructions must be available in section 1.5.2: (quoting BR section 4.9.3, emphasis mine) "The CA SHALL publicly disclose the instructions through a readily accessible online means and in Section 1.5.2 of their CPS". Only linking from section 1.5.2 is therefore not allowed, the instructions must be clear from section 1.5.2 alone.
Apart from that, I'm interested to know what calendar and/or date format Amazon Trust Services uses for their CPS changelog found in section 1.2. I see dates like 2015-05-26
and 2018-01-15
, but also 2020-30-03
and 2021-23-07
. I am unable to match these dates to any calendar nor date notation that I know of. (As of CPS version 1.0.11)
Updated•3 years ago
|
Comment 19•3 years ago
|
||
ATS acknowledges this feedback and will make private key compromises easier for outside parties to report to us by including more explicit reporting instructions directly in our CPS. We are now reviewing our CPS to improve the relevant sections and will publish an updated version with these revised instructions by August 20, 2021.
The date examples given here include two common date formats: YYYY-MM-DD and YYYY-DD-MM. ATS favors the former, but both were inadvertently mixed in this context. ISO 1806 [1] specifies an international standard numeric date format of YYYY-MM-DD.
Assignee | ||
Comment 20•3 years ago
|
||
Amazon Trust Services continues to monitor this issue for any further comments or questions. We will publish an updated version of the CPS by August 20, 2021.
Assignee | ||
Comment 21•3 years ago
|
||
We’ve updated our repository website and CPS to include preferred information that can be included in key compromise reports. Please let us know if there are any further comments or questions.
Comment 23•3 years ago
|
||
Marked Comment #22 as spam :) I realize "any questions" is probably broadly interpreted, but it's "any questions specific to this incident described in Comment #0". This is not a good place for general Amazon support.
Assignee | ||
Comment 24•3 years ago
|
||
If there are no further questions we would like to request that this bug be Resolved as Fixed.
Comment 25•3 years ago
|
||
I'll slate this for closure on Friday, 3-Sept-2021.
Updated•3 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•