Closed Bug 1738421 Opened 7 months ago Closed 3 months ago

Izenpe: CRL and ARL exceed validity period value by one second

Categories

(NSS :: CA Certificate Compliance, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: d-fernandez, Assigned: d-fernandez)

Details

(Whiteboard: [ca-compliance])

1. How your CA first became aware of the problem.
Following the last Bugzilla issues we realised we had the same problem in our Root certificate ARL where there is a 365 days and 1 second lapse between issuing date and NextUpdate date. The same issue occurs in our crls which should last 10 days and not 10 days plus 1 second, therefore, not complying with BR 4.9.7.

For the Root Certificate (http://crl.izenpe.com/cgi-bin/arl2)
ARL #10:
issued: 2020-11-19 15:59:14 (UTC+1)
nextUpdate: 2021-11-19 14:59:14 (UTC+1)

For Intermediate Certificates:
DV and OV certificates (http://crl.izenpe.com/cgi-bin/crlinterna2)
CRL #13AB
issued:2021-10-27 17:45:53 (UTC+2)
nextUpdate:2021-11-06 18:45:53 (UTC+1)
EV Certificates (http://crl.izenpe.com/cgi-bin/crlsslev)
CRL #E14:
issued: 2021-10-28 11:52:34 (UTC+2)
nextUpdate:2021-11-7 12:52:34 (UTC+1)
2. A timeline of the actions your CA took in response.
27/10/2021 8:00 - Reviewing Bugzilla's incidents, we were aware of the same problem after checking our ARL/CRL.
27/10/2021 10:00 - Tested the change in our development environment to subtract 1 second with success.
27/10/2021 13:31 - As the previous ARL was about to expire, this day was already planned to reissue the new ARL, so we changed the configuration the same way we did in our development environment.

3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident.
It has not been necessary.

4. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.)
Not applicable..

5. In a case involving certificates, the complete certificate data for the problematic certificates.
Not applicable..

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Current ARL/CRL configuration allows to set any kind of frequency, and it was established in 365 days for the ARL and 10 days for the crl, not considering that dates are inclusive.

7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

Publish new ARL (done)
Publish new CRL for intermediates (planned 2021-10-29)

Summary: CRL and ARL exceed validity period value by one second → Izenpe: CRL and ARL exceed validity period value by one second
Assignee: bwilson → d-fernandez
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

The crls are now published without the extra second duration

I will close this on next Wed. 16-Feb-2022, unless there are questions or issues to discuss.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.