Closed Bug 1832342 Opened 1 year ago Closed 7 months ago

Firmaprofesional: 2023 - documentary inconsistency

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mprieto, Assigned: bwilson)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Attachments

(2 files)

Imagen1.png
364.41 KB, image/png
Details
Imagen2.png
2.81 MB, image/png
Details

Steps to reproduce:

The audit team has analyzed the different certificates issued by the TSP and the definitions of these in its certificate profiles document (hereinafter, the Document).
However, despite the fact that both the issued certificates and the defined profiles conform to the ETSI requirements, the following internal inconsistencies have been found between the certificates and the certificate profiles document:

  • In the OCSP ICA A01 QWAC 2022 certificates, OCSP ICA B01 Q 2022 and OCSP ICA B02 QTSA 2022: The “Common Name” attribute of the extension “Distinguished Name (DN)” does not appear as a URL in the certificate, even though it is defined as a URL in the Document. The extension “Key Usage” indicates in the “Non Repudiation” and “Digital signature”, even though it is defined as “digitalSignature” and “cRLSignature” in the Document. The “Certificate Policies” extension in the certificate contains the attributes “policyIdentifier” and “userNotice” with different values ​​ from those defined in the DDocument. The certificates do not include the QCStatements defined in the Document.
  • In Intermediate CA A01 QWAC certificates, Intermediate CA B01 QUALIFIED CERTS and Intermediate CA B02 TSA QUALIFIED: The extension “Distinguished Name (DN)” does not include the OU field defined in the Document. The “Certificate Policies” extension in the certificate contains the attributes with values ​​different from those defined in the Document. The certificates do not include the "CPSURI" field inside the “Certificate Policies” extension as defined in the Document. The “Extended Key Usage” extension of the certificate is not defined in the Document. (Only applies to A01 and B02).
  • In Website Authentication certificates (QCP-w): Certificates contain two urls in the “CRL Distribution Points” extension, when in the Document only one appears in the case of SSL web server certificates.
  • In Civil Servant certificates (QCP-n): In the “Subject Alternative Name” certificates extension do not appear all attributes defined in the Document.

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
It is a finding identified during the annual eIDAS/ETSI audit being carried out these days.
On 2023-05-08 (CEST):
17:00: During the annual eIDAS audit, this finding was notified by the auditors.

Actual results:

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
On 2023-05-09 (CEST):

  • 9:00: Firmaprofesional analyzed the finding and the root cause of the problem
    During the day, documentary inconsistencies are corrected in the Certificate Profiles Document.
  • In anticipation of the mandatory nature of the new version of the Baseline Requirement 2.0.0 on the new OCSP requirements, Firmaprofesional's new OCSP profile is updated and adapted to the new BR.
  • The new OCSP profile is issued in Test and its correct adaptation to Firmaprofesional’s Certificate Profile Document is verified
    On 2023-05-10 (CEST):
  • The new Certificate Profiles Document is approved by the Management.
  • The new Certificate Profiles DDocument is published on Firmaprofesional’s website. https://www.firmaprofesional.com/wp-content/uploads/pdfs/FP_Perfiles_Certificados-230510-EN-sFP.pdf

Expected results:

3. Whether your CA has stopped, or ha s not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
Does not apply.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
Does not apply.
5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
Does not apply.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Since the profiles document was historically written, certificate profiles have undergone minor modifications in accordance with the requirements of international standards and browser policies. However, in the last update of profiles, it was forgotten to carry out the update of said document.
7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

  • Analyze the problem (Done).
  • Correct the documentary inconsistencies identified in the presentation of the finding and publish a new Certificate Profiles Document (Done)
  • Taking advantage of the Certificate Profiles Document review, the new Baseline Requirement 2.0.0 is analyzed and we proceed to modify the OCSP certificate profile to make them conform to it, although this policy does not become mandatory until September. The new OCSP profile is made much smaller than the current one, as it is a concern of browsers. (Done)
  • Issue OCSP certificates in Test and verify their correct issuance. (Done)
  • Issue OCSP certificates in Production and replace the old ones. (Pending: weeks of May 15 and 22).
Assignee: nobody → mprieto
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance]

Request for clarification "A":

  1. Can you confirm this is intended to be an Audit Incident Report resulting from the Firmaprofesional S.A. non-conformities in the most recent ETSI Audit (Reference: 2302_FPR_FR)?
  2. If so, can you please address the other non-conformity identified during the audit (i.e., 7.10 Collection of evidence) using the Audit Incident Report format?

Request for clarification "B":

Since the profiles document was historically written, certificate profiles have undergone minor modifications in accordance with the requirements of international standards and browser policies. However, in the last update of profiles, it was forgotten to carry out the update of said document.

  1. Can you elaborate on the root cause(s) for the issues presented in this incident? (i.e., What specific process(es) failed and why?)
  2. Subsequently, can you provide additional resolution step(s) that address the root cause(s) of the issue, rather than the issue itself?

Request for clarification "C":

We interpret Comment 0 to describe that the following certificates were issued in violation of the applicable Certificate Profiles document at the time of their issuance:

  • OCSP ICA A01 QWAC 2022
  • OCSP ICA B01 Q 2022
  • OCSP ICA B02 QTSA 2022
  • Intermediate CA A01 QWAC
  • Intermediate CA B01 QUALIFIED CERTS
  • Intermediate CA B02 TSA QUALIFIED
  • [an undisclosed set of website authentication certificates]
  • [an undisclosed set of civil servant certificates]
  1. Can you explain why these certificates are not referenced in Questions 4 and 5? (“A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. and The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.”)

It is difficult to understand which root CA these certificates validate to based on the above names (e.g., the above list references "Intermediate CA A01 QWAC, yet we see "FIRMAPROFESIONAL ICA A01 QWAC 2022" disclosed to CCADB).

Request for clarification "D":

The [assumed] applicable Firmaprofesional Certificate Policy in effect at the time of this incident describes that certificate profiles are detailed in the “Profiles of Firmaprofesional Certificates” document. Comment 0 describes a list of certificates issued that did not conform to the profiles document in effect at the time of issuance.

  1. Can you help us understand why Firmaprofesional did not consider the mis-issuance of certificates an incident, requiring a separate incident report?

Request for clarification "E":

Section 4.9.1.1 (“Reasons for Revoking a Subscriber Certificate”) of the Baseline Requirements indicate that a CA MUST revoke a subscriber certificate within 5 days if “The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement (CRLReason #4, superseded).” Section 4.9.1.2 (“Reasons for Revoking a Subordinate CA Certificate” indicates that a CA must revoke a CA certificate within 7 days if “The Issuing CA is made aware that the Certificate was not issued in accordance with or that Subordinate CA has not complied with this document or the applicable Certificate Policy or Certification Practice Statement.

  1. Can you help us understand how Firmaprofesional determined the above requirements do not apply to the circumstances described in Comment 0?
Flags: needinfo?(mprieto)

Dear Ryan,
We try to answer all your questions:

Request for clarification "A":
Can you confirm this is intended to be an Audit Incident Report resulting from the Firmaprofesional S.A. non-conformities in the most recent ETSI Audit (Reference: 2302_FPR_FR)?

Yes, it is.

If so, can you please address the other non-conformity identified during the audit (i.e., 7.10 Collection of evidence) using the Audit Incident Report format?

This is the bug and it was closed. https://bugzilla.mozilla.org/show_bug.cgi?id=1832338

Request for clarification "B":
Can you elaborate on the root cause(s) for the issues presented in this incident? (i.e., What specific process(es) failed and why?)
Subsequently, can you provide additional resolution step(s) that address the root cause(s) of the issue, rather than the issue itself?

Firmaprofesional has an intern technical instruction that establishes the steps for modifying profiles.

The basis of this document is that you begin to work with the existing profiles and then all the technical standards are analyzed to verify that the new profile or certificates conform to the current modifications. The process of creating CAs and SubCAs is a long process, it took us more than 6 months to define them, going on to analyze all the browser policies, the Baseline requirements, the EV Guidelines and the ETSIs. During the process, there have been several modifications to these international technical standards, which have forced a reanalysis of all documentation and changes.

The certificates were finally issued, but we forgot to update our internal document with the latest changes made.

That is why in the internal technical instruction we have incorporated an improvement in section 6 (see image 1), in which special emphasis is placed on the root cause of this incident. A last more explicit step is added, which is: review the new profile certificates issued in production with the profile document, more specifically:

The exact compliance field by field of the Profile defined in the Profiles document published in Firmaprofesional must be verified with a certificate issued in Production and confirm in EJBCA that the extensions are marked as critical or optional depending on what is defined in the document.

Request for clarification "C":
We interpret Comment 0 to describe that the following certificates were issued in violation of the applicable Certificate Profiles document at the time of their issuance:
OCSP ICA A01 QWAC 2022
OCSP ICA B01 Q 2022
OCSP ICA B02 QTSA 2022
Intermediate CA A01 QWAC
Intermediate CA B01 QUALIFIED CERTS
Intermediate CA B02 TSA QUALIFIED
[an undisclosed set of website authentication certificates]
[an undisclosed set of civil servant certificates]
Can you explain why these certificates are not referenced in Questions 4 and 5? (“A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. and The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.”)
It is difficult to understand which root CA these certificates validate to based on the above names (e.g., the above list references "Intermediate CA A01 QWAC, yet we see "FIRMAPROFESIONAL ICA A01 QWAC 2022" disclosed to CCADB).

Regarding the SSL certificates, there are no affected SSL certificates because the two URLs that appear in the certificate redirect to the url that appears in the profile document. Therefore, the certificate is behaving according to the mechanics that is said in the field. However, we decided to improve the profiles document to anonymise, since we already had those urls in other profiles and so that there would be no possibility of confusion in the profile.

Regarding civil servant certificates, there is no affected certificate either, because althougth in the Subject alternative name section was not apear clearly which fields were optional, however that precision already appeared as a cross reference in section 2.8 .1 of the certificate profile. The document has been improved but the certificates are issued correctly. (See image 2)

Regarding the SubCAs, as explained in the incident, they are correctly issued in accordance with all BR standards, EV Guidelines, browser policies, ETSI. But we attach as requested the list of certificates:

Request for clarification "D":
The [assumed] applicable Firmaprofesional Certificate Policy in effect at the time of this incident describes that certificate profiles are detailed in the “Profiles of Firmaprofesional Certificates” document. Comment 0 describes a list of certificates issued that did not conform to the profiles document in effect at the time of issuance.
Can you help us understand why Firmaprofesional did not consider the mis-issuance of certificates an incident, requiring a separate incident report?

As explained in the previous point, there are no certificates issued incorrectly, there is a documentary error as specified in the title of the incident report itself, for this reason we have not considered that a separate incident report should be opened.

Request for clarification "E":
Section 4.9.1.1 (“Reasons for Revoking a Subscriber Certificate”) of the Baseline Requirements indicate that a CA MUST revoke a subscriber certificate within 5 days if “The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement (CRLReason #4, superseded).” Section 4.9.1.2 (“Reasons for Revoking a Subordinate CA Certificate” indicates that a CA must revoke a CA certificate within 7 days if “The Issuing CA is made aware that the Certificate was not issued in accordance with or that Subordinate CA has not complied with this document or the applicable Certificate Policy or Certification Practice Statement.”
Can you help us understand how Firmaprofesional determined the above requirements do not apply to the circumstances described in Comment 0?

As we have explained throughout the previous answers, the issued certificates are correctly issued in accordance with international standards, the error is only documentary. It would not make any sense to revoke the certificates to reissue them identical and reusing the same keys.

In the case of OCSPs, we have taken advantage of the incident to issue new OCSP certificates in accordance with the new Baseline Requirements 2.0.0 policy (https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf), which establishes new requirements and we have found it most appropriate to create them already in accordance with said policy and take advantage of the modification of the profiles document, incorporating the new technical requirements that will come into force in September 2023.

If we had considered that the document was correct and therefore the certificates were incorrectly issued, then we would have proceeded to immediately revoke the certificates. But the error is documentary, that's why we have corrected the error, which is the document.

Flags: needinfo?(mprieto) → needinfo?(ryandickson)
Attached image Imagen1.png
Flags: needinfo?(ryandickson)
Attached image Imagen2.png
Flags: needinfo?(ryandickson)
Assignee: mprieto → ryandickson
Flags: needinfo?(ryandickson)

OCSP certificates are already in production. All the tasks described in point 7 (7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.) have been made.

How do we think this bug should be categorized in the whiteboard under [ca-compliance]? As "[policy-failure]" or "[audit-finding]" or both?

Dear Ben,
We think it could be "audit-finding"
Regards,
María José

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] → [ca-compliance] [audit-finding]

Ryan,
Do you have any further questions or requests for clarification from Firmaprofesional? If not, then I'll queue this to be closed.
Thanks,
Ben

Flags: needinfo?(ryandickson)
Assignee: ryandickson → bwilson

No further questions @ben, sorry for the delayed response.

Flags: needinfo?(ryandickson)

I'll close this on Wed. 11-Oct-2023.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: