Closed Bug 1735761 Opened 2 months ago Closed 27 days ago

Sectigo: CRL validity beyond CPS allowed value

Categories

(NSS :: CA Certificate Compliance, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: martijn.katerbarg, Assigned: tim.callan)

Details

(Whiteboard: [ca-compliance])

Hi, this is Martijn Katerbarg from Sectigo. I've been working at Xolphin with WebPKI products for the last 13+ years in multiple validation and technical roles. As part of the acquisition by Sectigo last year I came over to them and joined the WIR team.

1. How your CA first became aware of the problem

We monitored bug 1731164 from Google Trust Services and later bug 1733000 from QuoVadis. We conducted a review of our own CRLs as compared to our CPS and discovered a mismatch between our CPS and our actual CRL validity periods.

2. Timeline

September 16, 2021

Google Trust Services opens bug 1731164.

September 17

We review bug 1731164 in our twice-weekly WebPKI Incident Response (WIR) working meeting and started to investigate our own CRLs for compliance with the Baseline Requirements.

September 24

Our review concludes that we do have a “plus-second” behavior, but because we limit our CRLs to 7 days, it does not constitute a BR violation. We put in a ticket to fix the plus-second behavior with a low priority as we believe there is no imminent problem.

September 28

Quo Vadis opens bug 1733000.

Prompted by this line…

QuoVadis OCSP responses are good for 48 hours, which is shorter than the requirement found in Baseline Requirements section 4.9.10. However, the QuoVadis CPS states the maximum validity period of an OCSP response is 48 hours.

…we decide a review of our own CPS as compared to our actual behavior. We discover that our CRLs are indeed non-compliant with our CPS.

October 5

A CPS update is published to extend the time at which we will issue a new CRL. This fixes the CRL mismatch problem.

Our ticket to fix the plus-second behavior remains open in the interest of preventing possible future issues.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.

Our CRLs are fully compliant in validity time with our current CPS.

4. Summary of the problematic certificates

This matter did not result in certificate misissuance.

5. Affected certificates

This matter did not result in certificate misissuance.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now

While we have ongoing CPS reviews, bug 1731164 and bug 1733000 prompted us to more closely scrutinize the chapter on CRL Issuance Frequency. Our previous CPS stated that our CRLs are valid for 24 hours.

Though we do issue new CRLs every 24 hours, the validity of each CRL is 7 days plus 1 second. This discovery prompted us to create and publish an update to our CPS.
Our latest CPS review did encompass the CRL Profile section (7.2) but not the CRL Issuance Frequency (4.9.7).

It is not easy to see why this discrepancy was not detected previously. We believe there may have been some confusion between the CRL Issuance Frequency and the CRL Validity Period in the past, at a time where there was a single person reviewing our entire CPS. Since then, we have implemented a more robust, multi-person review process for CPS updates.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future

Our CPS has been updated to reflect our practice in CRL use. As we have referenced in other bugs, CPS review and update is one of our activities, and more people have been engaged recently in reviewing our CPS than in the past. We believe adding fresh eyes to these procedures and reviews can help stave off the “tunnel-vision” that always becomes a risk with repeated exposure to the same document.

We have a ticket open to fix the plus-second behaviour referenced above in order to reduce the likelihood of future problems with CRL validity periods.

Assignee: bwilson → tim.callan
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

We believe we have covered all the necessary information in our initial post. We are, however, continuing to monitor this bug for any questions or comments.

As there do not seem to be any additional questions, we would like to propose closure of this bug.

Flags: needinfo?(bwilson)

I'll schedule this to be closed on next Wed. 3-Nov-2021.

This bug is due to be closed any time now. We are continuing to monitor it until that occurs.

Status: ASSIGNED → RESOLVED
Closed: 27 days ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.