Closed Bug 1713976 Opened 3 years ago Closed 3 years ago

Amazon Trust Services: CP/CPS does not specify key compromise methods

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: agwa-bugs, Assigned: trevolip)

Details

(Whiteboard: [ca-compliance] [policy-failure])

The Mozilla Root Store Policy version 2.7.1, effective May 1, 2021, states in section 6:

Section 4.9.12 of a CA's CP/CPS MUST clearly specify the methods that parties may use to demonstrate private key compromise.

Amazon Trust Services' current CP and CPS are:

https://www.amazontrust.com/repository/cp-1.0.9.pdf

https://www.amazontrust.com/repository/cps-1.0.10.pdf

Neither document specifies methods for demonstrating private key compromise in section 4.9.12.

This may be premature, since Amazon indicated in its response to Item 7 of the April 2021 CA Survey that they would publish a new CPS by 2021 July 30.

Ben: Could you clarify - does this mean that responses to Mozilla CA Communications may be used to excuse a CA from complying with Mozilla Policy?

For example, I don't see a response from Amazon indicating the intentional non-compliance in Item 1 of the April 2021 CA Communication.

It sounds like you're saying Mozilla finds the answers to Item 7 as reasonable exceptions to the policy, and that, for example, ComSign's delay of one year (2022 Apr 26) is seen as acceptable, just like Microsoft's delay to 2021 Oct 2.

Similarly, with respect to Item 9, we see CAs indicating they do not plan to comply with (existing) CCADB and Mozilla policies until 2022, such as TWCA. Should Comment #1 be interpreted as Mozilla saying such non-compliance is acceptable?

Are there any other sources that the community should review to understand where Mozilla may have granted exceptions to Mozilla Root Store Policy and/or CCADB policy? This might help reduce the churn of bugs.

I agree that we should be more specific on our interpretation / handling of various responses to the CA survey, and I would like to avoid a churn of bugs. It's just that we came out with the policy revisions knowing that in some instances (e.g. those requiring CPS revisions), that compliance was not going to happen overnight.

Assignee: bwilson → trevolip
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

(In reply to Ben Wilson from comment #3)

It's just that we came out with the policy revisions knowing that in some instances (e.g. those requiring CPS revisions), that compliance was not going to happen overnight.

Would it be better to discuss this on m.d.s.p. then? I think, given the responses, there's a high likelihood of other incidents being filed (either now or in the coming months), so it'd be good to have a record of that. It may also make Amazon's responses easier to understand when the expectations are clear.

Yes - let's discuss this on m.d.s.p. Give me a few hours to prepare something to start the discussion.

Amazon Trust Services acknowledges this bug. The plan to fix it was included in the April 2021 CA Communication (https://wiki.mozilla.org/CA/Communications#April_2021_CA_Communication): The specified methods for parties to demonstrate key compromise will be moved from its current CPS location (Section 1.5.2) to Section 4.9.12 by 7/30/2021. Per feedback in this bug, we will watch for further discussion on MDSP regarding Mozilla’s broader policy and expectations for committed fixes like this with a future completion date to see if other steps will be taken on this specific bug

Amazon Trust Services is monitoring the conversation on MDSP regarding this topic.

Amazon Trust Services is monitoring the conversation on MDSP regarding this topic. We will complete our CP/CPS updates by 7/30/2021 as previously communicated.

Amazon Trust Services is monitoring the conversation on MDSP regarding this topic. We will complete our CP/CPS updates by 7/30/2021 as previously communicated.

Trev: Can you share more details about why it takes so long to update the CP/CPS?

Flags: needinfo?(trevolip)

There is nothing preventing us from updating our CP/CPS sooner. In this particular instance, we selected a date that aligned with a previously planned review and update of the CP/CPS.

Flags: needinfo?(trevolip)

Amazon Trust Services is monitoring the conversation on MDSP regarding this topic. We will complete our CP/CPS updates by 7/30/2021 as previously communicated.

Ben: For your next-update of 2021-07-30.

I'm not at all encouraged by the delays, or explanation, but it is what it is.

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] → [ca-compliance] Next update 2021-07-31

Amazon Trust Services acknowledges this feedback. Based on the previous request for dates in the April 2021 CA Communications and the clarifying discussion in MDSP where Mozilla indicated that the compliance date for this item was 7/31/2021, we’ve been treating the time frame for complying with this issue similar to compliance with the restriction to stop reusing validation information older than 398 days (which also has a future date of 10/1/2021).

On 7/23/21, Amazon Trust Services published updated CP and CPS documents, which addressed this issue.

Amazon Trust Services continues to monitor this issue for any further comments or questions.

The only change to section 4.9.12 in either document is the addition of this paragraph to the CPS:

Contact information for reporting private key compromise can be found at:
https://www.amazontrust.com/repository/

I don't think MRSP permits the methods of demonstrating private key compromise to be incorporated by reference, but even if it did, the above page (archive for posterity) does not appear to list any methods for demonstrating private key compromise.

I don't think MRSP permits the methods of demonstrating private key compromise to be incorporated by reference [...]

I agree with Andrew here; the BR are quite clear that the instructions must be available in section 1.5.2: (quoting BR section 4.9.3, emphasis mine) "The CA SHALL publicly disclose the instructions through a readily accessible online means and in Section 1.5.2 of their CPS". Only linking from section 1.5.2 is therefore not allowed, the instructions must be clear from section 1.5.2 alone.

Apart from that, I'm interested to know what calendar and/or date format Amazon Trust Services uses for their CPS changelog found in section 1.2. I see dates like 2015-05-26 and 2018-01-15, but also 2020-30-03 and 2021-23-07. I am unable to match these dates to any calendar nor date notation that I know of. (As of CPS version 1.0.11)

Whiteboard: [ca-compliance] Next update 2021-07-31 → [ca-compliance]

ATS acknowledges this feedback and will make private key compromises easier for outside parties to report to us by including more explicit reporting instructions directly in our CPS. We are now reviewing our CPS to improve the relevant sections and will publish an updated version with these revised instructions by August 20, 2021.

The date examples given here include two common date formats: YYYY-MM-DD and YYYY-DD-MM. ATS favors the former, but both were inadvertently mixed in this context. ISO 1806 [1] specifies an international standard numeric date format of YYYY-MM-DD.

[1] https://www.iso.org/iso-8601-date-and-time-format.html

Amazon Trust Services continues to monitor this issue for any further comments or questions. We will publish an updated version of the CPS by August 20, 2021.

We’ve updated our repository website and CPS to include preferred information that can be included in key compromise reports. Please let us know if there are any further comments or questions.

Marked Comment #22 as spam :) I realize "any questions" is probably broadly interpreted, but it's "any questions specific to this incident described in Comment #0". This is not a good place for general Amazon support.

If there are no further questions we would like to request that this bug be Resolved as Fixed.

Flags: needinfo?(bwilson)

I'll slate this for closure on Friday, 3-Sept-2021.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [policy-failure]
You need to log in before you can comment on or make changes to this bug.