1771722 - Firmaprofesional: 2022 - Title field

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Maria Jose Prieto]

Steps to reproduce:

• 1.3.6.1.4.1.13177.10.1.2.2 (QCP-n): One certificate of the sample has been detected whose subject:title field is larger than the size allowed by RFC 5280.
  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
  It is a finding identified during the annual eIDAS/ETSI audit being carried out these days.

Actual results:

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
Does not apply, because of TITLE field doesn’t exist in SSL Certificates. See “Firmaprofesional Certificate’s Profiles Document” Page 49 and 50.

Furthermore, due to the measures taken to resolve Bug 1717795, all the fields of Firmaprofesional's TLS certificates have strict technical length controls.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
Does not apply. See above.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
There are no TLS certificates affected.

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
Does not apply.

Expected results:

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Although it does not apply, since it does not affect TLS certificates, in our intention of continuous and transparent improvement, we communicate what happened:
Technical controls for character limitation were implemented for all the fields of TLS certificates and the vast majority of the rest of certificate policies (natural person QCP-n, legal person QCP-l), but it was forgotten to implement this limit to the optional field "title".

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Although it does not apply, since it does not affect TLS certificates, in our intention of continuous and transparent improvement, we communicate the steps that we will follow

• Check all the fields for the technical limitation of characters, for policies QCP-n and QCP-l
• Enforce character limit technical controls, as it was done last year for all fields of TLS certificates.

Comment 1

[Maria Jose Prieto]

I would like to ask if Firma has examined all previously submitted (and currently "closed") incidents related to stateOrProvinceName and localityName in Bugzilla.
Thank you Dimitris for your comment, because really we think we should learn from the experience and difficulties of other CAs.

Indeed, we have reviewed other similar tickets, such as Bug 1720723 or Bug 1667842 , and after analyzing them, we continue to believe that the strategy of minimizing the number of fields in certificates is good for browsers and for CAs, as well as adding as much automation as possible.

Using a dropdown for the StateOrProvince and Locality fields we think is a good idea because this:
avoids typos and other types of human error.
allows to identify the limitations of the dropdown but without incurring an error of issuing certificates with incorrect data
avoid the free text field issue identified on Bug 1720723.

We are aware of the limitations of this type of dropdown, because it is difficult to guarantee that this type of information is absolutely correct worldwide. However, we have also analyzed the countries that concentrate most of our certificates and we have ensured that for those countries the stateOrProvince data is correct.

We may find ourselves in exceptional cases where, at the time of issuing a certificate, the stateOrProvince claimed by the subject does not appear in our dropdown. In this case, the issuance will not be possible at that time (perhaps we will lose a client) and we will analyze the case to identify if it is necessary to apply any update in the dropdown.

Secondly I would like to ask if all CA Compliance bugs from other CAs are being actively monitored and taken into consideration proactively (i.e. without necessarily being affected by the corresponding incidents but making sure controls are implemented to prevent such class of incidents).

Regarding your second comment, in fact, several people at Firmaprofesional are subscribed to new bugs creations and updates (See Mails_bugs.png) and we learn from them and implement improvements to the best of our ability. We recommend this practice to all CAs since it has been very useful for us.

Comment 2

[Maria Jose Prieto]

Attachment: Mails_bugs.png

Comment 3

[Maria Jose Prieto]

Sorry, comment 1 was not for this bug.

Comment 4

[Maria Jose Prieto]

Dear Ben,
We update and confirm all the steps of point 7:

• The technical control of the Title field has already been uploaded to PRO.
• We have checked all the fields for the technical limitation of characters, for policies QCP-n and QCP-l
• and finally, we have verified the enforce character limit technical controls that we have already done last year for all fields of TLS certificates.

From our point of view this ticket could be closed

Comment 5

[Ben Wilson]

I'll close this on or about next Wed., 20-July-2022.