Closed Bug 1718680 Opened 3 years ago Closed 3 years ago

Asseco DS / Certum: Forward dating certificates (notBefore in the future)

Categories

(CA Program :: CA Certificate Compliance, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ryan.sleevi, Assigned: aleksandra.kurosz)

Details

(Whiteboard: [ca-compliance] [uncategorized])

It appears that, as regular practice, Asseco DS / Certum forward-dates certificates, setting the notBefore to being a date in the future.

For example, this certificate appears to be issued on 2021-07-04, a date five days in the future. Judging by certificates like this, it appears to be routine practice to forward date by a month.

This thread on dev-security-policy captures relevant discussion and historical context.

This appears to be a violation of the Forbidden or Problematic Practices, and certainly, there is no legitimate technical reason for forward dating.

This is a request for Asseco DS / Certum to provide an explanation about the policies and practices, how long this has been happening, the analysis performed by Asseco DS / Certum that lead them to decide this was acceptable, as well as an explanation for how they monitor CA incidents and discussion to determine if issues or misunderstandings raised in other CA incidents may also affect them.

Flags: needinfo?(aleksandra.kurosz)

Thank you, we will prepare a reply as soon as possible.

Currently, we allow setting the notBefore date up to 30 days forward. We do this to make it easier for server operators to manage TLS certificates that will expire soon. It is also directly related to how our system is designed for certificates renewals. Below is an example of a use case.

Example scenario:

  • The TLS certificate on the server expires on 2021-06-30 23:59:59 and the server operator wants to renew the certificate.
  • The operator may submit the certificate request for renewal on 2021-06-30 12:00:00 but sometimes the verification of the certification request may take more time than usual for various reasons (especially for TSL OV and TSL EV certificates) and it may happen that the server operator does not receive a new certificate before expiration of an old one, and thus will not replace it on time on the server, making the website unavailable.
  • The operator may submit a certificate request for renewal on 2021-06-20 12:00:00 with the date notBefore 2021-06-20 12:00:00 (date equals to the actual issuance date), but then he will "lose" 10 days from the old certificate because our system currently does not have the function of adding remaining days to a renewed certificate
  • The operator may submit a certificate request for renewal on 2021-06-20 12:00:00 with the date notBefore 2021-06-30 12:00:00. He will not "lose" 10 days (but only twelve hours) from the old certificate, and he will be able to safely update the certificate on the server between 2021-06-30 12:00:00 (date notBefore from the new certificate) and 2021-06-30 23:59:59 (date notAfter from the old certificate).

Regarding your question about monitoring incidents of other CAs and discussions in general. In this particular case, we followed at least:

Just as backDating could be used to deliberately avoid regulations, we are aware there is a risk that forwardDating may have a similar effect, not always intentionally. The forwardDating requires us to verify all certification requests according to regulations that will apply after issue date and before the notBefore date, which requires additional effort and planning when introducing changes resulting from new regulations. Taking into account both additional effort and risk related to the correct verification of such requests and observing the direction the discussions on this topic are heading, we made a decision to stop supporting setting the notBefore date by customer.

Back in 2020 changes in renewal process and forwardDating, as related issues, were included in the analysis. The change regarding stopping forwardDating has been then separated as risk management related, and added to the roadmap for Q2 2021. The change has already been implemented and tested, and is currently awaiting for installation, which is planned as part of the standard update cycle in August.

Flags: needinfo?(aleksandra.kurosz)

We have no updates.

No updates here.

No updates here.

Whiteboard: [ca-compliance] → [ca-compliance] Next update 2021-08-15

Ben, could you please set the next update date on 2021-08-31? The production installation is planned for the second half of August.

Whiteboard: [ca-compliance] Next update 2021-08-15 → [ca-compliance] Next update 2021-09-01

The new version of the application has been deployed on production on 2021-08-24 at about 22:00 UTC+2. Since that, for all new certification requests, setting notBefore date from the future is impossible.

Flags: needinfo?(bwilson)

I'll close this on Friday, 10-Sept-2021.

Whiteboard: [ca-compliance] Next update 2021-09-01 → [ca-compliance]
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [uncategorized]
You need to log in before you can comment on or make changes to this bug.