Closed Bug 1757615 Opened 3 years ago Closed 3 years ago

Amazon Trust Services: Overdue audit statements for intermediate certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: bwilson)

Details

(Whiteboard: [ca-compliance] [audit-failure] [audit-delay])

Outdated Audit Statements for Intermediate Certs

CA Owner: Amazon Trust Services

  • Certificate Name: Amazon
    SHA-256 Fingerprint: ECC295B6DDCD084BA7179FB53BDD1D422CB6C0A8D94F154D4A5B17780B7279ED
    Standard Audit Period End Date (mm/dd/yyyy): 09/30/2020
    BR Audit Period End Date (mm/dd/yyyy): 09/30/2020
    EV SSL Audit Period End Date (mm/dd/yyyy): 09/30/2020

  • Certificate Name: Amazon
    SHA-256 Fingerprint: F55F9FFCB83C73453261601C7E044DB15A0F034B93C05830F28635EF889CF670
    Standard Audit Period End Date (mm/dd/yyyy): 09/30/2020
    BR Audit Period End Date (mm/dd/yyyy): 09/30/2020
    EV SSL Audit Period End Date (mm/dd/yyyy): 09/30/2020

  • Certificate Name: Amazon
    SHA-256 Fingerprint: 4A1FF6BBF481170D3B773CEC1F3A84DE3B5096575CDBF8B08432209318CA0FBD
    Standard Audit Period End Date (mm/dd/yyyy): 09/30/2020
    BR Audit Period End Date (mm/dd/yyyy): 09/30/2020
    EV SSL Audit Period End Date (mm/dd/yyyy): 09/30/2020

Acknowledging this issue. We have updated CCADB with DigiCert's latest audit reports.

Status: NEW → ASSIGNED

Note: These are for the three intermediates operated by DigiCert.

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in the MDSP mailing list (https://groups.google.com/a/mozilla.org/g/dev-security-policy), a Bugzilla bug, or internal self-audit), and the time and date.

January 4, 2022 – Email received from Mozilla CA Program Manager regarding out of date audit statements.
February 1, 2022 – Email received from Mozilla CA Program Manager regarding out of date audit statements.
March 1, 2022 – Email received from Mozilla CA Program Manager regarding out of date audit statements.
March 1, 2022 – Mozilla creates a bug. Amazon Trust Services reaches out to Mozilla to let them know we saw the bug and will reply.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

March 2, 2022 – Amazon Trust Services reaches out to DigiCert to get the information needed to update CCADB.
March 3, 2022 - Amazon Trust Services updates the intermediate records in CCADB with DigiCert’s latest audit information.

3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

We are changing our process for updating these audit reports to make sure they are updated in a faster manner.

4. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

N/A

5. In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.
N/A

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

In the past we’ve updated DigiCert’s audit information in the same time frame as ATS’s own audit information. Because of this, this is something we handle in April, which is why the email notifications weren’t immediately reacted upon.

7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

We have a process that we use to review DigiCert’s final audit reports. This review covered the contents and an analysis. This review occurred in January and wasn’t related to CCADB maintenance. We’ve moved this review to December. We also added a step in the review to update the CCADB record before the review is closed out.

Flags: needinfo?(bwilson)

If there are no further questions we would like to request that this bug be Resolved as Fixed.

I intend to close this on Wed., 23-Mar-2022, unless there are any questions or issues to resolve.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] [audit-delay] → [ca-compliance] [audit-failure]
Whiteboard: [ca-compliance] [audit-failure] → [ca-compliance] [audit-failure] [audit-delay]
You need to log in before you can comment on or make changes to this bug.