Closed Bug 1772633 Opened 2 years ago Closed 2 years ago

IdenTrust: OCSP responses for subordinate CA exceed the validity period per CPS guidelines

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: roots, Assigned: roots)

Details

(Whiteboard: [ca-compliance] [ocsp-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36

Steps to reproduce:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

During an internal review, we discovered that OCSP response validity period for 14 subordinate CA(s) did not conform to the IdenTrust TrustID CPS.
The TrustID CPS section 4.9.10 (https://www.identrust.com/sites/default/files/resources/identrust_trustid_cps_v4.8.2_05122022_0.pdf) states:
… OCSP responses issued for Subordinate CA Certificates last for 24 hours and the next update is available at 12 hours.

The OCSP responses for the 14 subordinate CA(s) had a validity period of less than 7 days which is in compliance with CA/B Forum Baseline Requirements v1.8.4. However, the language in the TrustID CPS section 4.9.10 only allowed 24 hours validity for OCSP responses for Subordinate CA Certificates.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2022-5-23 14:05 MST: Received internal message identifying this discrepancy.
2022-5-24 10:00 MST: Investigation confirmed that the issue also affects multiple subordinate CA OCSP responders under the IdenTrust Commercial Root CA – OCSP Response validity was 1 second greater than specified in our CPS.
2022-5-24 13:00 MST Evaluated options to fix the discrepancy and determined that the best option was to update the language in the IdenTrust TrustID CPS to allow for the validity period of the OCSP responses already being delivered.
2022-5-25 12:21 MST: Initiated the IdenTrust TrustID CPS update, review, and approval process with the goal of publishing the updated IdenTrust TrustID CPS as soon as possible.
2022-5-27 13:09 MST: Published the updated IdenTrust TrustID CPS.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

Certificate issuance is not involved here but OCSP responses exceeding one second were out of IdenTrust TrustID CPS compliance until the new version was published on 2022-5-27.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Not applicable

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

Not applicable

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

This non-compliance is resulting from an incorrect and confusing update in section 4.9.10 introduced in TrustID CPS version 4.7.5, where the intention was to allow up to 7 days of OCSP response validity for Subordinate CA Certificates. While our OCSP responses for Subordinate CA Certificate were being tested for compliance with the intended validity of up to 7 days and compliance with CA/B Forum Baseline Requirements, the confusion created by the incorrect update allowed the non-compliance to be undetected until the internal review referenced in #1.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

The steps we have taken are:

  • The language in Section 4.9.10 of the IdenTrust TrustID CPS has been updated to:
    QUOTE
    For the status of Subordinate CA Certificates:
    IdenTrust provides updated information via an Online Certificate Status Protocol:
    1. At least every twelve months; and
    2. Within 24 hours after revoking a Subordinate CA Certificate
      UNQUOTE
  • Subsequent to updates in TrustID CPS version 4.7.5, we have already implemented CPS update process that includes subject matter expert and compliance staff review that we believe would have detected the incorrect update prior to implementation.

As of the publication of the updated IdenTrust TrustID CPS corrected the OCSP responses validity period discrepancy, we consider this issue resolved.

Summary: IdenTrust: OCPS responses for subordinate CA exceed the validity period per CPS guidelines → IdenTrust: OCSP responses for subordinate CA exceed the validity period per CPS guidelines
Assignee: bwilson → roots
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]
Type: defect → task

Confirming that as the CPS was updated and published on May 27, 2022, we consider this issue resolved.

I'll close this on Wed. 22-June-2022, unless anyone believes there are further issues to discuss.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ocsp-failure]
You need to log in before you can comment on or make changes to this bug.