Closed Bug 1737057 Opened 1 year ago Closed 11 months ago

Entrust: CRLs and OCSP responses not issued as specified in the CPS


(CA Program :: CA Certificate Compliance, task)


(Not tracked)



(Reporter: bruce.morton, Assigned: bruce.morton)


(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in, a Bugzilla bug, or internal self-audit), and the time and date.

Entrust became aware of the problem of CRLs having a validity period of greater than the maximum by reviewing Mozilla Incident Reports. Entrust reviewed the CPS, CRLs and OCSP responses and determined the CRLs and OCSP responses were issued 1 second greater than as specified in the CPS.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2021-09-18 11:57 UTC - Google Trust Services files incident Bug 1731164
2021-09-27 2:30 UTC - Certainly files incident Bug 1732745
2021-09-27 17:15 UTC – GTS and Certainly incidents reviewed and investigation started
2021-09-27 13:10 UTC – Plan to address the incident after it has been reviewed with the CA/Browser Forum
2021-10-7 15:00 UTC – CA/Browser Forum Validation Subcommittee discusses issue
2021-10-7 17:34 UTC – Draft CA/Browser Forum ballot drafted for review
2021-10-18 12:35 UTC – Draft CA/Browser Forum ballot updated for review
2021-10-20 13:00 UTC – Incident and ballot reviewed
2021-10-21 13:55 – Full incident report posted

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

Certificate issuance was not stopped because as there was no miss-issuance of any certificates.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Only CRLs were impacted, but no certificates were miss-issued.

  1. The complete certificate data for the problematic certificates.

Only CRLs were impacted, but no certificates were miss-issued.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The CPS states a maximum validity period for a CRL and OCSP responses. The implementation of CRL and OCSP issuance includes one second more than is specified. When the CRL and OCSP responses were created the maximum time was added to the notBefore value, not considering that the last second was inclusive as stated in rfc5280.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

We have reviewed the CA/Browser Forum draft ballot to the BRs, which will be proposed to clarify the CRL and OCSP requirements. Entrust plans to update the CPS based on the requirements as specified in the ballot.

Assignee: bwilson → bruce.morton
Ever confirmed: true
Whiteboard: [ca-compliance]

The severity field is not set for this bug.
:kwilson, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(kwilson)
Type: defect → task
Flags: needinfo?(kwilson)

Please indicate whether you have sufficiently remedied this issue and whether this matter can be closed. Have you changed the validity period for your CRLs and OCSP responses, etc.?

Flags: needinfo?(bruce.morton)

Hi Ben, our plan was to comply with the CA/Browser Forum ballot, but since this has been delayed, we will take our own action. Will provide a follow-on update.

Flags: needinfo?(bruce.morton)

The one second issue only applies to root CRLs and OCSP responses. Entrust has re-issued the root CRLs and OCSP responses to be in compliance with the CPS.

Entrust will plan to comply with the CA/Browser Forum ballot, if and when it is released.

There are no more current actions on this incident.

I will schedule this for closure this Friday, 4-March-2022, unless there are other issues to address.

Flags: needinfo?(bwilson)
Closed: 11 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.