Closed Bug 1829195 Opened 2 years ago Closed 2 years ago

GlobalSign: CRLs reported in CCADB unavailable

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: christophe.bonjean, Assigned: christophe.bonjean)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Steps to reproduce:

GlobalSign was informed by an email to Mozilla Dev Security on 19/04/2023 at 17:28 UTC about CRLs reported in CCADB that were not available. We confirmed that 6 reported CRLs were not available, of which 5 are related to expired CAs. The 1 incorrect CRL URL has been updated in CCADB. We will post a full incident report latest by April 24 2023.

Assignee: nobody → christophe.bonjean
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [disclosure-failure]

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

GlobalSign was informed by an email to Mozilla Dev Security on 19/04/2023 at 17:28 UTC (All times in this report are in UTC) about 3 CRLs reported in CCADB that were not available. The Compliance team started the investigation at 18:26 and confirmed that 6 CRLs were unavailable.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

DD/MM/YYYY - Time in UTC Description
Week of 04/08/2020 Setup of DPDHL User CA I5 including CRL/OCSP and CA certificate publication
Month of 10/2021 Added CRL details to CCADB for 392 CAs
19/04/2023 - 17:28 Email to Mozilla Dev Security reporting CRL issues.
19/04/2023 - 18:26 Start of investigation by compliance team.
19/04/2023 - 18:28 Acknowledged / confirmed issue.
20/04/2023 - 05:31 Updated CCADB for the affected DHL CA.
20/04/2023 - 07:38 Started review of all CRLs reported in CCADB.
20/04/2023 - 08:07 Completed review of reported CRLs. Confirmed 6 CRLs are returning 404 out of which 5 are expired CAs.

3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

For the 6 CRLs that return a 404, 1 URL was incorrectly reported in CCADB and 5 are CRLs for expired CAs. For the incorrectly reported URL, we confirmed that the correct URL was included in the leaf certificates and the issue was isolated to the value populated in CCADB.

4. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

Incorrect URL reported:

CA Link
DPDHL User CA I5 https://crt.sh/?id=3196979876

Expired:

CA Link
GlobalSign Atlas ECCR5 DV TLS CA 2020-12 https://crt.sh/?id=3765050294
GlobalSign Atlas ECCR5 OV TLS CA 2020-12 https://crt.sh/?id=3765050299
GlobalSign Atlas R3 DV TLS CA 2020-12 https://crt.sh/?id=3765050292
GlobalSign Atlas R3 OV TLS CA 2020-12 https://crt.sh/?id=3765050298
GlobalSign Atlas R6 AATL CA 2020 https://crt.sh/?id=3765050293

5. In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

See #4.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

For the CRL URL that was reported incorrectly:

The CA "DPDHL User CA I5" was created as a replacement for "DPDHL User CA I4" due to the OCSP Delegated Responder Certificate incident (https://bugzilla.mozilla.org/show_bug.cgi?id=1649937). In setting up a CA, a shortname is defined and used for the publication of the CA certificate and CRL publishing. The expected shortname for this CA is "dpdhlusercai5". The CA certificate file location actually follows this convention, but the CRLs are published as "dhlusercai5.crl", note the missing prefix of "dp".

When populating the Full CRL Issued By This CA fields in CCADB, the shortname convention was followed and "dpdhlusercai5.crl" was reported. The process of reporting CRLs to CCADB requires the operator to confirm availability of the CRL. In this instance, the operator noticed that some URLs were not available but incorrectly assumed this was due to the CAs still being prepared and planned to provide an overview of the URLs, however missed to complete the overview. Since the correct URL was included in the leaf certificates, and no changes had been made to this issuer that would require a review, the issue remained undetected until now.

For the expired CAs:

GlobalSign stopped publishing CRLs for the expired CAs, since we were and are not aware of a requirement to keep publishing CRLs for TLS or SMIME CAs that have expired. We populated the "Full CRL Issued By This CA" fields of CCADB with the CRL paths published during the lifetime of the CAs, but did not remove or change the field after the CAs expired as there were no indications this was required.

7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

We reviewed all CRL issuer locations reported in CCADB for availability and observed in total 6 CRLs that are unavailable.

For the CA "DPDHL User CA I5", the incorrect URL has been updated with the correct CRL distribution point on 20/04/2023 at 05:31. We are implementing daily monitoring to verify the availability of CRLs reported to CCADB. This monitoring is planned for deployment by 05/05/2023.

For the 5 expired CAs, we are following the discussions on the CCADB and Mozilla Dev Security mailing lists for the recommended practice on reporting CRLs for expired CAs.

Daily monitoring to verify availability of CRLs reported in CCADB has been successfully deployed. We will keep monitoring the discussions for the recommended practice of reporting CRLs for expired CAs. Unless there are any further questions we believe this issue can be closed.

I intend to close this on or about next Wed. 3-May-2023, unless there are other issues or items to discuss.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.