1809864 - Google Trust Services: Mis-issued certificates for citi.com subdomain due to lack of CAA record checking

Status: RESOLVED INVALID

(CA Program :: CA Certificate Compliance, task)

Description

[Mark Penny]

Steps to reproduce:

GTS has issued 2 certificates to bt-preview.citicards.citi.com where a CAA record exists for the citi.com domain. The two certificates can be found here: https://crt.sh/?dnsname=citi.com&iCAID=180754&exclude=expired

Both these certificates have now been revoked at Citi's request.

The citi.com CAA record has been in place since 20th May, 2021.

Issuance of these two certificates would appear to be mis-issuance as it violates both the CABF BRs (v1.8.6, Section 3.2.2.8) and GTS's own Certificate Policy (v3.2, Section 3.2.2.8) in relation to CAA record checking.

We would appreciate some feedback from GTS as to what went wrong here.

Comment 1

[James Longmore]

Hi Mark,

Received. We're looking into this now and will be back with updates.

Kind Regards,

James Longmore
Google Trust Service

Comment 2

[Mark Penny]

(In reply to James Longmore from comment #1)

Hi Mark,

Received. We're looking into this now and will be back with updates.

Kind Regards,

James Longmore
Google Trust Service

Thanks James, appreciate it.

Comment 3

[James Longmore]

A quick update on what we've found so far.

Our audit logs indicate that at the time of issuance for both of these certs, the CAA record for the leaf domain bt-preview.citicards.citi.com included pki.goog and another CA as authorized issuers.

Our current assumption is that the records may have been temporarily configured, perhaps by an authorized user in a different department than the reporter, to use GTS as a part of testing or another exercise and then removed.

We're continuing to dig a bit deeper and will come back with a more in-depth response when we have it. Please let us know if your understanding of the issue changes in the meantime.

James

Comment 4

[James Longmore]

Hi Mark,

We have concluded our investigation. All the evidence we have is complete, consistent, and indicates that the CAA record was in place for the leaf domain bt-preview.citicards.citi.com at the time of issuance. We contacted the Google Cloud managed service that requested the certificates on behalf of your organization and they replied that they do not have any control over customer DNS, which suggests an individual with control of your DNS made the change.

We also checked our implementation of the logic specified in RFC 8659 and are confident that it is correct and the correct RRs were used.

If you would like to perform further troubleshooting or have any questions we’re happy to assist but we would need the domain owner to pull logs from their account.

Mozilla, this request does not seem to align with the incident guidelines. Unless you would like to see a formal incident report for this and future issues we believe this matter may be closed.

For community discoverability, please note that we can be contacted directly concerning such issues using the form available at https://pki.goog/faq/, as specified in section 1.5.2 of our Certification Practice Statement.

Kind Regards,

James Longmore

Google Trust Services

Comment 5

[James Longmore]

Google Trust Services is monitoring this bug for comments or questions. Since there have not been any comments for some time and there is no evidence of this being a problem related to the performed issuance validations, GTS believes this bug should be closed out as invalid.

Comment 6

[Ben Wilson]

I will close this as "Invalid" on or about next Wed. 25-Jan-2023, unless someone can bring forward anything to contradict Comment #4.

Comment 7

[Mark Penny]

James

Thank you for your analysis.

We now consider the matter closed. Ben, please close this as planned.

Regards

Mark Penny.