Closed Bug 1725041 Opened 4 years ago Closed 4 years ago

Network Solutions: 2021 Audit Observation #2

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1653504

People

(Reporter: bwilson, Assigned: keith.mckenney)

Details

(Whiteboard: [ca-compliance] [audit-finding])

As noted in https://bugzilla.mozilla.org/attachment.cgi?id=9233219, https://bugzilla.mozilla.org/attachment.cgi?id=9232451, and
https://bugzilla.mozilla.org/attachment.cgi?id=9233220, eight (8) certificates were issued where the modulus was not divisible by 8.

Assignee: bwilson → keith.mckenney
Status: NEW → ASSIGNED

Network Solutions is required to file an Incident Report - https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

Flags: needinfo?(keith.mckenney)

This bug should be closed as a RESOLVED DUPLICATE of bug 1653504.

Sectigo disclosed some of the affected certificates in bug 1518553 comment 11 and disclosed all of them in bug 1653504 comment 4. In bug 1518553 comment 12, Mozilla provided guidance that revocation of these certificates was not required.

Flags: needinfo?(keith.mckenney)

If these certificates were issued before the audit period (April 1, 2020), then why are they mentioned in the audit for the period April 1, 2020, through March 31, 2021? Were they discovered during the audit period? Also, why didn't the audit letter reference these Bugzilla bugs?

If these certificates were issued before the audit period (April 1, 2020), then why are they mentioned in the audit for the period April 1, 2020, through March 31, 2021?

Our WebTrust auditor noted that an external source had notified us "of eight (8) subscriber certificate public keys that were issued from their hierarchy where the modulus was not divisible by 8," and it is true that we did receive such a report. Note however that, in noting this under "Other Matters," our auditor did not offer any opinion regarding the (in)validity of this report. In particular, the "their hierarchy" part needs careful unpacking (see below).

Were they discovered during the audit period?

As mentioned in comment 2, some of these certificates were disclosed by Sectigo in July 2019 (before the audit period) while the remainder were disclosed in July 2020 (within the audit period). Because revocation was not required, the certificates disclosed prior to the audit period were still active at the time of reporting.

Also, why didn't the audit letter reference these Bugzilla bugs?

The Subordinate CAs that issued the 8 leaf certificates fall out of scope of the Network Solutions audit and were disclosed in Sectigo’s audit report for the same period, for which they were in scope. The reason for this is that BDO elected to treat NetSol-branded Sub-CAs that chain only to Sectigo Roots as "managed CAs" that are only in scope for Sectigo's audit. BDO considers Network Solutions to be the CA Owner of Sub-CAs that chain to our own roots (irrespective of whether or not a cross-certified chain up to a Sectigo Root also exists).

I'll close this as a Duplicate on next Wednesday, 1-Sept-2021, unless anyone else has comments or questions.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(bwilson)
Resolution: --- → DUPLICATE
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.