Closed Bug 1713978 Opened 6 months ago Closed 4 months ago

Amazon Trust Services: Forbidden Domain Validation Method 3.2.2.4.6

Categories

(NSS :: CA Certificate Compliance, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: agwa-bugs, Assigned: trevolip)

Details

(Whiteboard: [ca-compliance] Next update 2021-08-01)

Amazon Trust Services' current CP (https://www.amazontrust.com/repository/cp-1.0.9.pdf) states on page 32 that method 3.2.2.4.6 (Agreed-Upon Change to Website) is used to validate domains. This domain validation method is forbidden by the Baseline Requirements.

In light of https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/CDal5qSIYvE could Amazon Trust Services please detail in their incident report what their process is for following Mozilla's dev-security-policy forum?

Assignee: bwilson → trevolip
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

Our CP includes method 3.2.2.4.6 but doesn’t include the language from the Baseline Requirements “CAs SHALL NOT perform validations using this method after June 3, 2020. CAs MAY continue to re‐use information and validations for domains validated under this method per the applicable certificate data reuse periods.” But in practice our CPS prohibits this method with the following language “Amazon does not use any validation methods that have been retired by CA/B Forum.” By July 30, 2021, per our previous commitment stated in the April 2021 CA Communications, we will both: 1) update our CP to include this language, and 2) will also update our CPS to specifically call out which methods are/aren’t used to make it more clear.

Amazon Trust Services has no updates or changes to our previously communicated plan.

It's good that Amazon Trust Services has committed not to use validation methods retired by the CA/B Forum, and I take Comment 1 to mean Amazon has not issued any certificates using method 3.2.2.4.6 after it was retired. However, I don't believe Amazon's CP/CPS is compliant with Mozilla's disclosure requirement. MRSP 2.2(2) states, emphasis added:

The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification.

Above the listing for 3.2.2.4.6, Amazon's CP 1.0.9 states:

The CA SHALL confirm that prior to issuance, the CA has validated each Fully-Qualified Domain Name (FQDN) listed below

Amazon's CP says, explicitly, that Amazon uses method 3.2.2.4.6. Amazon's CPS says, implicitly, that Amazon doesn't use 3.2.2.4.6. This makes it ambiguous whether or not Amazon uses method 3.2.2.4.6, and thus fails to meet Mozilla's requirement that validation methods be "clearly" specified in the CP/CPS.

Clear, specific disclosure of validation methods is important is because it provides RPs with assurance that the CA is aware of what methods are allowed. A blanket statement that a CA doesn't use retired methods provides no assurance that the CA is aware that a particular method is retired.

For the above reasons, I believe this is a compliance incident and requires an incident report as described here: https://wiki.mozilla.org/CA/Responding_To_An_Incident

Flags: needinfo?(trevolip)

Amazon Trust Services acknowledges this feedback.

Flags: needinfo?(trevolip)

Amazon Trust Services has reviewed our Certification Practice Statement (CPS), specific to this issue. Our CPS currently prohibits Method 3.2.2.4.6 with the following language “Amazon does not use any validation methods that have been retired by CA/B Forum,” which includes not using the retired Method 3.2.2.4.6. This is not a compliance issue as our CPS accurately reflects that we do not use this method.

We previously committed to voluntarily update our CPS by July 30, 2021 to call out which specific methods are/aren’t used to make it more clear, but this is not a required level of detail for a CPS.

Trev: I'm not sure how that squares with Andrew's Comment #3, which points out the inconsistency with the Amazon CP. Your Comment #5 references the CPS, which Andrew acknowledged in Comment #3, but doesn't seem to respond to the CP issue. It also doesn't seem to be responding to the nature of incident report suggested in Comment #3, and, taken with "This is not a compliance issue", it sounds like Amazon disagrees with the analysis in Comment #3. Can you share more detail about why that is, since it does not appear to be a response in substance to the concerns?

Comment #1 suggests you will be updating your CP (why it takes two months to update a CP/CPS is unclear, and independent of this, greatly concerning), but it doesn't seem like ATS views this as an incident, which is also concerning.

Flags: needinfo?(trevolip)

Ryan, thank you for the feedback. Today we have our CP structured to mirror the BRs and the CPS is more restrictive and specifies how we apply those policies in practice. We read comment 3 as commenting on the definition of clarity between the documents, as opposed to consistency. If the issue is consistency, given that the two documents aren’t intended to have the same content, we’d appreciate some suggestions on how we can make them more consistent. Is it just the lack of expiration dates that would provide the reader a way to see in our CP that the forum deprecated those methods without also having to refer to the BRs or is there something else Mozilla and the other browsers would find useful? (I’ve addressed the comment about CP/CPS update on https://bugzilla.mozilla.org/show_bug.cgi?id=1713976.)

Flags: needinfo?(trevolip)

Amazon Trust Services is monitoring this issue for further questions or information.

(In reply to Trevoli (Amazon Trust Services) from comment #7)

Is it just the lack of expiration dates that would provide the reader a way to see in our CP that the forum deprecated those methods without also having to refer to the BRs or is there something else Mozilla and the other browsers would find useful?

It's been discussed with other CAs, such as Microsoft recently, that the greater interest is in seeing the CP/CPS document the current practices, rather than historic practices (that may have unexpired certificates). Here, the expectation is that relying parties can map between the policy in place at the time the certificate was issued (e.g. the notBefore) to understand what happens.

With respect to places where the BRs allow you to do "X, Y, or Z", listing "We may do X, Y, or Z" in the CP and then in the CPS "We do Z" certainly does not seem to benefit readers. The BRs are an implicit background to read a CA's CP against; we're more interested in understanding where and how a CA narrows things further than the BRs, and making sure that the policy and practice are aligned. To that end, if you only use Z, then only listing Z is preferred.

Ben: For your consideration.

Flags: needinfo?(bwilson)

With respect to places where the BRs allow you to do "X, Y, or Z", listing "We may do X, Y, or Z" in the CP and then in the CPS "We do Z" certainly does not seem to benefit readers

I agree, but to be clear this is not even what Amazon is doing. Their CP lists (it still has not been updated after 42 days) a method that the BRs forbid without any indication that it is forbidden. Their CPS does not list any domain validation methods at all. Amazon has yet to provide a substantive response to Comment 3 which explains why their CP/CPS is not compliant with MRSP 2.2.

Thanks Andrew for the clarification. I should have indicated that Amazon has indicated they will not update their CP/CPS until 2021-07-30 (Bug 1713976, Comment #9), because they had planned a review then (Bug 1713976, Comment #11). This was indicated in Comment #7, and that's why I was sending to Ben: to set a Next Update. That's my fault for not being clearer.

ATS choosing to take two months to resolve compliance issues is incredibly unfortunate, and certainly will be and is a matter of concern. However, given that polite hints at this being unwise (Bug 1713976, Comment #10) have gone unheeded or unnoticed, it's their rope to use as they please.

Whiteboard: [ca-compliance] → [ca-compliance] Next update 2021-08-01

Amazon Trust Services acknowledges this feedback.

On 7/23/21, Amazon Trust Services published updated CP and CPS documents, which addressed this issue.

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.