Closed Bug 1877680 Opened 5 months ago Closed 3 months ago

Telia: Findings in Audit 2023

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: antti.backman, Assigned: antti.backman, NeedInfo)

Details

(Whiteboard: [ca-compliance] [audit-findings] Next update 2024-04-24)

Audit Incident Report

Finding #1

ETSI EN 319 401:
7.5 Cryptographic controls, REQ-7.5-01

Identified as NC##03-2023: Generation of subject key pairs in the audit report.

Observation: At the time of the audit the quality of subject key pairs generated by the
TSP was unknown. For generation of subject key pairs, Microsoft .net library function-
ality is applied. There was no evidence on the random source or the number of security
bits of the random source.

Non-conformity in related to S/MIME BR compliance.

Root Cause Analysis

Details of the subject key pair quality for CA generated S/MIME subscriber certificate key pairs were not properly documented and verified internally by CA. This issue was not identified when CA documentation and practices were prepared and finalized for S/MIME BR compliance before 1.9.2023.

Action Items

Action Item Kind Due Date
Required cryptographic validations verified compliant with the requirement and documented appropriately by CA. Preventive correction deployed with evidence and confirmed by the auditor and reported completed satisfactory in the audit report and audit attestation letter (AAL) to meet the said requirement. Prevent 2023-12-08

Finding #2

ETSI EN 319 401:
7.6 Physical and environmental security, REQ-7.6-02

Identified as NC##04-2023: Physical access to the data center in the audit report.

Observation: During the visit to the data center identity documents of the auditor
were not checked.

Root Cause Analysis

CA / RA datacenter guard did not adhere to the policy and practice required by both CA's CP/CPS and the DataCenter itself.

Action Items

Action Item Kind Due Date
Ensure that datacenter security is applying to agreed and required policies. Immediate actions were taken by CA to ensure required visitor clearance practice is duly adhered by the datacenter security personnel. Documentaton and evidence of the applied policy and practice adherence provided by datacenter responsible and verified by CA. Preventive correction deployed with evidence and confirmed by the auditor and reported completed satisfactory in the audit report and audit attestation letter (AAL) to meet the said requirement. Prevent 2023-11-28

Finding #3

ETSI EN 319 411-1:
6.3.4 Certificate acceptance, OVR-6.3.4-04, REG-6.3.4-08, REG-6.3.4-09, REG-6.3.4-11A, REG-6.3.4-10A

Identified as NC##01-2023: Subject agreement in the audit report.

Observation: There is no hint to the terms and conditions or agreement in the user’s
application form. Also, with respect to GDPR the user shall be informed about use of
personal data, including a hint that the certificate is published to the customer’s AD.
In addition, key escrow shall be mentioned, too.

Non-conformity in related to S/MIME BR compliance.

Root Cause Analysis

In preparation for S/MIME compliance this issue was not identified when CA / RA certificate management portal functionality, documentation and practices were prepared and finalized for S/MIME BR compliance before 1.9.2023.

Action Items

Action Item Kind Due Date
Portal application shall be updated to include required agreement and/or terms and conditions approval by the Applicant / Subscriber prior certificates may be issued. In addition required General Data Protection Regulation information shall be provided for Applicant / Subscriber to acknowledge and making sure that all end-users are made aware of the agreement and/or terms and conditions. Preventive correction deployed with evidence and confirmed by the auditor and reported completed satisfactory in the audit report and audit attestation letter (AAL) to meet the said requirement. Prevent 2024-01-26

Finding #4

ETSI EN 319 411-1:
6.5.4 Activation data, SDP-6.5.4-03

Observation: After generation of the subject’s certificate the p12-container and the
password for that container are transferred to the subject at the same time using a
single channel.

Non-conformity in related to S/MIME BR compliance.

Root Cause Analysis

CA / RA Secure S/MIME portal in Sweden provides user with p12-container activation key (PIN / password) in the portal's web-interface when end-user issues S/MIME certificate for oneself. The PIN / password is not sent by the system, but as portal provides the p12-container to be downloaded in the same web-interface, the functionality did not statisfy the requirement.

When CA / RA portal was being validated and developed for S/MIME compliance this function and method was misinterpreted to be satisfactory with the requirements as the password is never not transmitted by the system to the end-user, but provided directly in the web-interface at the time of issuance.

Action Items

Action Item Kind Due Date
Swedish CA / RA portal functionality shall be improved to be in compliance with the requirements delivering the p12 container and PIN / Password through separate channels. Preventive correction deployed with evidence and confirmed by the auditor and reported completed satisfactory in the audit report and audit attestation letter (AAL) to meet the said requirement. Prevent 2024-01-26
Whiteboard: Next update 2024-02-29
Assignee: nobody → antti.backman
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: Next update 2024-02-29 → [ca-compliance] [audit-findings] Next update 2024-02-29

The item identified in Finding #4 is under active discussion in the S/MIME Certificate Work Group of the CA/Browser Forum, which intends to add clarifications to the S/MIME BR in an upcoming ballot. See https://github.com/cabforum/smime/issues/234 for details.

Hi Stephen

Thank you for the information provided. We appreciate the work being done in the S/MIME WG and we're also participating in the said WG actively. We'll follow that progress with great interest to be able to further improve the security of certificate delivery to end-user and improvements to clarify requirements.

Telia CA continues to follow this incident.

Whiteboard: [ca-compliance] [audit-findings] Next update 2024-02-29 → [ca-compliance] [audit-findings] Next update 2024-03-25

This monthly update on the incident, as explained in the incident, all findings have been addressed by Telia CA.

Telia CA continues to monitor this incident and next update as indicated by next update.

This monthly update on the incident, as explained in the incident, all findings have been addressed by Telia CA.

Telia CA continues to monitor this incident and next update as indicated by next update.

As there hasn't been comments, questions on this incident for couple of months and all actions / tasks have been completed, we kindly ask for this incident to be closed.

Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] [audit-findings] Next update 2024-03-25 → [ca-compliance] [audit-findings] Next update 2024-03-24
Whiteboard: [ca-compliance] [audit-findings] Next update 2024-03-24 → [ca-compliance] [audit-findings] Next update 2024-04-24

I'll close this on Wed. 27-March-2024 unless there are additional questions that need to be answered.

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Flags: needinfo?(bwilson)
Summary: Telia Company: Findings in Audit 2023 → Telia: Findings in Audit 2023
You need to log in before you can comment on or make changes to this bug.