Closed Bug 1825734 Opened 2 years ago Closed 2 years ago

Asseco DS / Certum: Delayed revocation of SHECA cross certificate

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: aleksandra.kurosz, Assigned: aleksandra.kurosz)

Details

(Whiteboard: [ca-compliance] [ca-revocation-delay] Next update 2023-04-28 )

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36

Steps to reproduce:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

This is a continuation of the bug https://bugzilla.mozilla.org/show_bug.cgi?id=1823040

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

17.03.2023 – bug https://bugzilla.mozilla.org/show_bug.cgi?id=1823040 was created

17.03.2023 - we have informed SHECA of the need to revoke this cross Certificate

28.03.2023 – we issue a new cross certficate for SHECA

28.03.2023 - forwarding the certificate to SHECA

28.04.2023 - scheduled revocation of the current cross certificate

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

Certum issues cross-certificates only when they are preceded by a detailed analysis. Certum already issued a new, correct cross certificate for SHECA.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

A problematic certificate was issued on 21.02.2020

  1. The complete certificate data for the problematic certificates.

https://crt.sh/?id=2515580578

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The delay in revocation was due to the interests of the end customers who use this cross certificate, there is around 2-3k valid certificates currently, most for government department, Shanghai Big Data Center, and operator such as China Telecom, China Mobile. These clients can't do the change immediately, due to too many affected systems and their change management. Those systems or websites are critical to Shanghai citizens and enterprises, which including tax systems, payment systems, travel systems, medical systems, etc. The transition to a new cross certificate requires time to distributed them with SHECA clients so the cancellation will take place as soon as possible, no later than April 28, 2023 this is one month after the new certificate has been submitted to SHECA.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

Revocation of intermediate certificates, especially cross certificates, is always difficult and delicate due to the number and type of end customers, but we understand the reasons why it must be timed. So far, Certum has stipulated in cross-certification agreements that the partner must act in accordance with CA/B Forum regulations and browser policies, which seemed to be sufficient. As part of corrective actions after this incident, we will change the provision in the contract, we will explicitly state that there are 7 days to revoke the cross certificate, regardless of the reason for the revocation. We will also require partners to inform end customers that if there is any reason for revocation, the time to revoke the certificate will be 7 day

Assignee: nobody → aleksandra.kurosz
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [ca-revocation-delay]

SHECA issues new certificates to its customers. The revocation will take place by April 28, 2023.

Whiteboard: [ca-compliance] [ca-revocation-delay] → [ca-compliance] [ca-revocation-delay] Next update 2023-04-28

Cross certificate was revoked today, 04/28/2023

Hi Aleksandra,

As part of corrective actions after this incident, we will change the provision in the contract, we will explicitly state that there are 7 days to revoke the cross certificate, regardless of the reason for the revocation. We will also require partners to inform end customers that if there is any reason for revocation, the time to revoke the certificate will be 7 day

A few questions:

  1. Is "the contract" in reference to all future contracts related to cross certificates issued by Certum, or just cross certificates issued to SHECA?
  2. Can I interpret the above statement to mean that Certum will begin communicating to subject CAs represented in all future cross certificates that it will revoke certificates within 7 days or that it may revoke certificates within 7 days? If the latter, how would that result in a meaningfully different outcome than what we observe here (i.e., delayed revocation)?
  3. Given the number of existing cross certificates issued by Certum, can you describe how the above snippet helps prevent future delays in revocation related to cross certificates issued in the past?
  4. Can you describe how partners are "required" to inform customers of an impending revocation, and how Certum intends to uphold this commitment?

Thanks,
Ryan

Flags: needinfo?(aleksandra.kurosz)

Hi Ryan,

  1. Is "the contract" in reference to all future contracts related to cross certificates issued by Certum, or just cross certificates issued to SHECA?

All future contracts,

  1. Can I interpret the above statement to mean that Certum will begin communicating to subject CAs represented in all future cross certificates that it will revoke certificates within 7 days or that it may revoke certificates within 7 days? If the latter, how would that result in a meaningfully different outcome than what we observe here (i.e., delayed revocation)?

What we meant here was that we will inform partners directly about the revocation within 7 days if there are circumstances justifying the revocation and we will strictly enforce this point.

  1. Given the number of existing cross certificates issued by Certum, can you describe how the above snippet helps prevent future delays in revocation related to cross certificates issued in the past?

In our opinion, informing directly about the need to revoke within 7 days will prevent the partner from using arguments about "need time" and "key customers", in the event of such a situation, we will also be able to use this bug as an example. At the same time, we are in contact with our largest partners and talk about automating the processes of issuing and revoking certificates in the future. We collect data to best respond to their needs while meeting the requirements of CA / B Forum and browsers.

  1. Can you describe how partners are "required" to inform customers of an impending revocation, and how Certum intends to uphold this commitment?

The commitment is in the contract, we also have the opportunity to view the partner's process and documentation.

Flags: needinfo?(aleksandra.kurosz)

If there are no more questions or comments, can this bug be closed?

I'll close this next Wed. 24-May-2023 unless there are follow-up questions.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.