1814197 - DigiCert: Late CP/CPS CCADB uploads

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Martin Sullivan]

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in the MDSP mailing list, a Bugzilla bug, or internal self-audit), and the time and date.

During a review of CCADB, Digicert noticed that Apple and Microsoft had updated their CPS (November 15, 2022 and November 18,2022, respectively.) Under Section 2 of the Chrome policy, we have not updated the CCADB records within 30 days of a CPS change, as expected.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

Jan 10 - DigiCert notices and updates 22 Subordinate CAs operated externally by Apple and Microsoft but signed by DigiCert roots with outdated CP/CPS documents in CCADB.
Jan 10 - QuoVadis was notified of 6 Subordinate CAs operated under DigiCert with the same issue.
Jan 10 – DigiCert sends Chrome a Policy violation notice.
Jan 11 - QuoVadis updates the 6 Subordinate CAs.
Jan 11 - DigiCert submits a Certificate Problem Report to Sectigo to provide them with a report of 4 of their Subordinate CAs operated under Apple with the same issue.

3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

We have notified all our sub CA parties that we require notice in advance of their CPS changes so we can update CCADB on a timely basis.

4. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

Please see response to 5 below

5. In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. It is also recommended that you use this form in your list "https://crt.sh/?sha256=[sha256-hash]", unless circumstances dictate otherwise. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

Microsoft Azure TLS Issuing CA 01 https://crt.sh/?sha256=24C7299864E0A2A6964F551C0E8DF2461532FA8C48E4DBBB6080716691F190E5
Microsoft Azure TLS Issuing CA 02 https://crt.sh/?sha256=15A98761EBE011554DA3A46D206B0812CB2EB69AE87AAA11A6DD4CB84ED5142A
Microsoft Azure TLS Issuing CA 05 https://crt.sh/?sha256=D6831BA43607F5AC19778D627531562AF55145F191CAB5EFAFA0E0005442B302
Microsoft Azure TLS Issuing CA 06 https://crt.sh/?sha256=48FF8B494668C752304B48BFE818758987DEF6582E5F09B921F4B60BB3D6A8DD
Microsoft Azure ECC TLS Issuing CA 01 https://crt.sh/?sha256=949D6B4B761CA134AD3E7A8571186F580EE887F2C6B568B5140F4157F98D68DD
Microsoft Azure ECC TLS Issuing CA 02 https://crt.sh/?sha256=9C64A9A43E990E98FBCE8317B2D4C1C07FFE6E032DA8BB6D60A696E2FF038F1F
Microsoft Azure ECC TLS Issuing CA 05 https://crt.sh/?sha256=003F71DC4820216575FC5AACFE3B1AEB76F72AEA5B8E8FCEFC80B9F517A4A612
Microsoft Azure ECC TLS Issuing CA 06 https://crt.sh/?sha256=2975BAB51D00D862D0E16EEDEF8306A759C65CD4B9F00DAF50ECDFCB4EC396E4
Microsoft RSA TLS CA 01 https://crt.sh/?sha256=04EEEA8E50B4775B3C24797262917EE50002EC4C75B56CDF3EE1C18CFCA5BA52
Microsoft RSA TLS CA 02 https://crt.sh/?sha256=05E4005DB0C382F3BD66B47729E9011577601BF6F7B287E9A52CED710D258346
Apple IST CA 2 - G1 https://crt.sh/?sha256=C9B06CC083186220618E61A8772640F824DF69D561AD56BDC15AD56D0CE08608
Apple IST CA 8 - G1 https://crt.sh/?sha256=5C29DBEA9B7CC8B02418F28C1C8736DFDF170665D098EF681D903BE76987D249
Apple Public EV Server ECC CA 1 - G1 https://crt.sh/?sha256=2585928D2C5BFD952E025BD12E27C6776224CF752EC362D3031CDD49351844D4
Apple Public EV Server RSA CA 1 - G1 https://crt.sh/?sha256=340CA5BA402D140B65A2C976E7AE8128A1505C29D190E0E034F59CCAE7A92BC2
Apple Public EV Server RSA CA 2 - G1 https://crt.sh/?sha256=D6EF3E09EBE0D9370E51F5C09A532B3AC70D3CE822253F9FC84C28E9BFA550D5
Apple Public EV Server RSA CA 3 - G1 https://crt.sh/?sha256=E881D3B83C3BC694D7D99F92DE83B2BFF5C6EE2D9871A446DEA107D6397565FC
Apple Public Server ECC CA 2 - G1 https://crt.sh/?sha256=DA8546816D891C1241E9387DE436D1B9F7EA70DBA1EB3D25F58271CE816A7ABC
Apple Public Server RSA CA 2 - G1 https://crt.sh/?sha256=F518F0BB716521F0A26FDB40C304FF9B82FBDBE7ACBD46BF0EF23A180188EB5C
Apple Public Server ECC CA 1 – G1 https://crt.sh/?sha256=2AF988F26F6EF0DAB9055697F0941FB4E5C42247CA982826895EF29985D30CD6
Apple Public Server RSA CA 1 – G1 https://crt.sh/?sha256=392583543B93B10E0506DE75D69399FCBBC1469C8DE396066C756088B92241DA
Apple IST CA 8 – G1 https://crt.sh/?sha256=8711EE539E74213F5F412EB4A18A98C3B58DA620B4D43E75B0542AFC39FC6033
Apple IST CA 8 – G1 https://crt.sh/?sha256=9218BAB94E7D5D1F81D62D0FC23E31C8BBCBEE3545D1D7E9D3FD29B30BC188C8
DigiCert QV TLS ICA G1 https://crt.sh/?sha256=93E33AF7DA3030530D090C9C55762CADE7EAE943F834349D1057A90EB67F306B
DigiCert QV EV TLS ICA G1 https://crt.sh/?sha256=6A7B2AA3414039A663D5D8BBAB8256A3979A84C332BF5E1EE8F6D0E0ADA84668
DigiCert QuoVadis TLS ICA QuoVadis Root CA 2 https://crt.sh/?sha256=673E8FEEB1168277D0153111D20ED38E9DA51F440BE7FD50B218540937741A48
DigiCert QuoVadis TLS ICA QV Root CA 1 G3 https://crt.sh/?sha256=C42A4D8C0904BB211906F43B441BBBC9B5A003BA3611879FD34AE576F7C2F764
DigiCert QuoVadis TLS ICA QV Root CA 3 https://crt.sh/?sha256=D8CC89C6AA6B7452881907927C81E66DA01A7598CF7674E4E2E133F16546D5F0
DigiCert QuoVadis TLS ICA QV Root CA 3 G3 https://crt.sh/?sha256=728E4BD2B399840E9D437AF975B0198910B4129B7AB708CB5C0B445D3B04D999o

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

We have not implemented an agreed upon notification protocol with our SubCA entities who operate ICAs under our Roots. They produce their own CPS which we upload updates on their behalf in CCADB.

7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied by a binding timeline of when your CA expects to accomplish each of these remediation steps.

DigiCert is implementing a notification process with our SubCA entities to ensure we are notified of their CPS changes and can update CCADB within the 30 day window. Digicert has also implemented a notification process to other CAs where we operate ICAs under their roots. These processes are effective immediately.

Comment 1

[Brenda Bernal]

The notification process from our externally operated subCAs on their CP/CPS has been put in place.

Comment 2

[Martin Sullivan]

If there are no other questions can we close this off?

Comment 3

[Ben Wilson]

I'll close this on or about next Monday, 13-Feb-2023, unless there are any issues or questions to discuss.