Closed Bug 1794047 Opened 2 years ago Closed 2 years ago

IdenTrust: Missing Revocation Reasons in CRL

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: roots, Assigned: roots)

Details

(Whiteboard: [ca-compliance] [crl-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36

Steps to reproduce:

On 10/4/2022 we discovered at least one CRL with missing revocation reasons for all listed revoked certificates which is a violation of the Mozilla Root Store Policy Section 6.1.1 and IdenTrust CPS Section 4.9.3. We can confirm that current CRLs are correct and have revocation reasons listed. We are still investigating the root cause but the initial indications are the CRL with missing revocation reasons is resulting from software change control that took place on 10/1/2022.

We will be providing a formal Incident report on or before 10/14/2022

Assignee: bwilson → roots
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance]

Full incident Report:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

During a routine quality check, we discovered that a CRL created on 10/2/2022 for the “HydrantID Server CA O1” ICA was missing the revocation reasons.

The lack of revocation reasons is a violation of IdenTrust CPS Section 4.9.3:
Reason codes are included in the CRLs issued by IdenTrust, including the reason code of Revocation because of Private Key compromise.
And the Mozilla Root Store Policy v2.8, effective October 1st., 2022 – section 6.1.1
When an end entity TLS certificate (i.e. a certificate capable of being used for TLS-enabled servers) is revoked for one of the reasons below, the specified CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
    2022-10-01 17:30 MST: IdenTrust deployed the release to update revocation reason codes for Mozilla Root Store Policy v2.8 compliance.
    2022-10-02 22:40 MST: During a routine quality check we suspected that that some CRLs were not generated properly.
    2022-10-03 11:15 MST: While investigating, we discovered that a database update during the weekend change control did not execute as expected.
    2022-10-03 14:00 MST: We remediated the issue by correctly executing the database update.
    2022-10-04 17:30 MST: We confirmed that the “HydrantID Server CA O1” ICA CRL generated on 10/2/2022 was missing the revocation reasons.

  2. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
    Not applicable

  3. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
    Not applicable

  4. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
    Not applicable

  5. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
    The database update during the scheduled change control on 2022/10/01 failed to execute correctly.
    The failure was not detected as part of the change control sanity checks.

  6. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
    For future change controls, we have added a step to validate the presence of revocation reasons on CRLs.

We have no additional items for this issue.

Flags: needinfo?(bwilson)

I'll close this on or about next Wed. 2-Nov-2022.

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Summary: IdenTrust - Missing Revocation Reasons in CRL → IdenTrust: Missing Revocation Reasons in CRL
Whiteboard: [ca-compliance] → [ca-compliance] [crl-failure]
You need to log in before you can comment on or make changes to this bug.