Closed Bug 1793059 Opened 2 years ago Closed 10 months ago

CFCA: The delay in revocation of ICA

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gaofei, Assigned: gaofei)

Details

(Whiteboard: [ca-compliance] [ca-revocation-delay])

Attachments

(4 files)

bugzilla report--CFCA The delay in revocation of ICA.pdf
61.89 KB, application/pdf
Details
ICA Revocation Process.png
11.71 KB, image/png
Details
change of primary contact.png
111.94 KB, image/png
Details
ICA Revocation Process(add revocation check).png
15.70 KB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36

Steps to reproduce:

1)How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

In the email from Chrome Root Program on September 10.Request a report regarding the delay in revocation of the misissued certificate(CFCA DV OCA).

2)A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2021-06-23:Create the new ICA--CFCA DV OCA (SHA2 = B8BE2649AA518E943BF0FD1E34A240443E46E79EA7B562E09FCC830AC7D2F3FC)).
After the new ICA was created, we have not done any business or issued certificates.
2022-06-16:Report CFCA DV OCA in the CCADB.
2022-08-15:We received a report from Ryan Dickson that the ICA has no EKU extension.
2022-08-16:Review the ceremony of the new ICA and found that the configuration file was incorrect, resulting in no EKU extension for the issued certificate.
2022-08-16:Report the event to the our auditer and discuss solutions.
2022-09-06:Decide to re-sign the incorrect ICA.
2022-09-19:Revoke the ICA(CFCA DV OCA)

3)Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

CFCA has revoked the ICA(CFCA DV OCA) on 2022-09-19. And the ICA has not carried out business and issued any user certificate.

4)In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

Number of certs:1
2021-06-23:We created the new ICA--CFCA DV OCA.And lack of EKU extension.
https://crt.sh/?id=6970868811

5)In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

Number of certs:1
2021-06-23:We created the new ICA--CFCA DV OCA.And lack of EKU extension.
https://crt.sh/?id=6970868811

6)Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

In fact, we have decided to revoke the wrong certificate before completing the final solution. However, the revocation was omitted during the processing.

7)List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

1.We update the certificate revocation rules.Add Revocation Review Steps.On the second day after receiving the certificate revocation application, the auditor will check the revocation completion.
2.After the introduction of zlint, we plan to send email or SMS notifications on the first, third, and seventh days for the wrong certificates that we found, so that wrong certificates can be revoked in time.
A.Complete the functional design of CFCA RA/CA Zlint before 2022-11-15.
B.Complete the development of CFCA RA/CA Zlint function before 2022-12-30.
C.Complete functional verification in the test environment before 2023-1-30.
D.CFCA RA/CA Zlint will be officially launched before 2023-2-25.
E.Before March 30, 2023, complete the inspection of the CFCA historical certificate, and deal with any problems that found.

Assignee: bwilson → gaofei
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [delayed-revocation-ca]

It seems that this bug has been misunderstood and instead of addressing the issue of delayed CA revocation, it focuses on the revocation of end-entity certificates and additional linting as captured in the original bug https://bugzilla.mozilla.org/show_bug.cgi?id=1793053.

I believe this particular bug is to address the violation of BRs section 4.9.1.2 that require the revocation of a CA Certificate within 7 days.

The suggestion is that CFCA provide a different type of incident report here. The incident report would need to explain steps that CFCA is taking to improve its revocation response time for intermediate CAs. What is CFCA going to do to make sure that CAs are revoked within 7 days? Examples of incident reports that other CA operators have filed can be found here: https://bugzilla.mozilla.org/buglist.cgi?status_whiteboard=delayed-revocation-ca&component=CA%20Certificate%20Compliance&status_whiteboard_type=allwordssubstr&query_format=advanced

Flags: needinfo?(gaofei)

1)How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

In the email from Chrome Root Program on September 10.Request a report regarding the delay in revocation of the misissued certificate(CFCA DV OCA).

2)A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2021-06-23:Create the new ICA--CFCA DV OCA (SHA2 = B8BE2649AA518E943BF0FD1E34A240443E46E79EA7B562E09FCC830AC7D2F3FC)).
After the new ICA was created, we have not done any business or issued certificates.
2022-06-16:Report CFCA DV OCA in the CCADB.
2022-08-15:We received a report from Ryan Dickson that the ICA has no EKU extension.
2022-08-15: Bi Xinlong checked the scope of influence of the above error certificate and confirm that no certificate has been issued after the ICA was created.
2022-08-16:Review the ceremony of the new ICA and found that the configuration file was incorrect, resulting in no EKU extension for the issued certificate.
2022-08-16:Report the event to the our auditer and discuss solutions.
2022-09-05: Bi Xinlong sent an email.Apply for modification of the Primary contact of CFCA in the CABF.
2022-09-06:Decide to re-sign the incorrect ICA.
2022-09-19:Revoke the ICA(CFCA DV OCA)

3)Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

CFCA has revoked the ICA(CFCA DV OCA) on 2022-09-19. And the ICA has not carried out business and issued any user certificate.

4)In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

Number of certs:1
2021-06-23:We created the new ICA--CFCA DV OCA.And lack of EKU extension.
https://crt.sh/?id=6970868811

5)In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

Number of certs:1
2021-06-23:We created the new ICA--CFCA DV OCA.And lack of EKU extension.
https://crt.sh/?id=6970868811

6)Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

According to the Chapter 4.9.1.2 of BR, the revocation process of intermediate CA formulated by CFCA as follows:

  1. Receive or actively find the certificate problem report.
  2. Within one day, CFCA will investigate the certificate problems, confirm whether the reported problems really exist。Then reply the preliminary investigation results to the reporter, and report the certificate problems to our auditor.
  3. Within 3 days,
    3.1 Identify all affected certificates and determine the scope and extent of impact.
    3.2 Formulate treatment plan and time plan.
  4. Contact the affected users within 5 days to inform them of the problem and the solution.
  5. Complete the intermediate CA revocation within 7 days.
  6. Report to Mozilla within 7 days
    6.1 It is assessed that the revocation cannot be completed within 7 days, and the delayed revocation and revocation time plan will be reported to Mozilla
    6.2 After evaluation, the revocation can be completed within 7 days. Pay attention to the revocation and progress, and report to Mozilla in a timely manner
Flags: needinfo?(gaofei)

In this event, the new ICA has not started business and has not issued any certificate.
Bi Xinlong is the Primary contact of CFCA in the CABF before August 2022.From August, Bi Xinlong's job responsibilities were changed and he was no longer responsible for SSL certificate business.

During the work handover, Bi Xinlong failed to complete the certificate revocation in time.
At the same time, only Bi xinlong is in charge of Bugzilla issue monition and response. There were no of double check mechanism in case he missed the response / revocation date.
7)List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

  1. From September 20, 2022,Gaofei and Qiu Dawei are jointly responsible for voting,CCADB update and incident report.
    2.We update the intermediate CA certificate revocation rules. Add revocation audit steps. The intermediate CA problem includes that the reviewer(Li Kairui,likairui@cfca.com.cn) will check the revocation completion on the 5th and 7th days after receipt.

3.In addition, we also plan to add the automatic reminder function of error certificates after the introduction of zlint. For the detected error certificates, we will send email or SMS notifications on the first day, the third day, and the seventh day, respectively, to ensure that the error certificates can be revoked within the specified time.

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Summary: CFCA:The delay in revocation of ICA → CFCA: The delay in revocation of ICA
Product: NSS → CA Program
Whiteboard: [ca-compliance] [delayed-revocation-ca] → [ca-compliance] [ca-revocation-delay]

No further questions from Chrome.

In the past year, CFCA has improved its work through the following measures:

  1. Arrange multiple people to be responsible for PKI policy tracking, Bugzilla incident response and handling, CCADB maintenance, etc.;
  2. Formulate and update some relevant documents of management norms;
  3. Use Zlint to automate detection;
  4. Actively promote ACME automation;

CFCA remains open and transparent, actively faces and solves problems, and will continue to improve our processes and technical means in the future.

This case has been discussed in detail and has been improved. There is no new content recently. Apply to close this case, thanks.

I will close this case on or about Friday, 30-June-2023, unless there are issues still to discuss.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: