Closed Bug 1883792 Opened 2 months ago Closed 1 month ago

IdenTrust: Temporary Errors in Test Web Pages

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: roots, Assigned: roots)

Details

(Whiteboard: [ca-compliance] [uncategorized])

IdenTrust: Temporary Errors in Test Web Pages

Summary

The Baseline Requirements, section 2.2, require CAs to host test web pages that allow application software suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. On 2024-02-12, in the course of ongoing compliance reviews, IdenTrust confirmed that the certificates on its Test Web Pages for the IdenTrust Public Sector root had temporary errors. Specifically, the "active" certificate had the wrong chain, and the "revoked" certificate had expired a few days prior to the discovery.

Root Cause Analysis

The root causes of these errors were:

  • A web page coding error on the "active" certificate page; and
  • A manual certificate issuance process that resulted in the late replacement of the "revoked" certificate, causing it to be reported as "expired" rather than "revoked."

Impact

The IdenTrust Public Sector root is not currently in use, with no active certificates, no offering for it on the IdenTrust website, and no immediate expectations for certificate issuance. Therefore, the impact on certificate trustworthiness is unaffected.

Lessons Learned

What went well

  • Both errors were caught relatively early. The web page coding for the "active" certificate was corrected the same day, and an automated and time-based certificate issuance process will be deployed to prevent future occurrences of expired certificates.

What didn't go well

  • N/A

Where we got lucky

  • Because the IdenTrust Public Sector Root is not currently in use or offered, no end-entity certificates were affected. IdenTrust notes that the purpose of these test pages is for developer use; however, no developers were actively testing against these test pages at the time.

Action Items

Action Item Kind Due Date
Web page changes to correct the wrong chain Fix Already completed
Development of an automated process for replacing test-page certificates Fix Already completed

IdenTrust believes that no further actions are required.

Assignee: nobody → roots
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [uncategorized]

There are no remaining tasks related to this matter, and we can confirm that the automated monthly issuance of test certificates is proceeding as planned.

Flags: needinfo?(bwilson)

Can I assume that you are requesting that this bug be closed? If so, I'll do that next Wed. 27-Mar-2024.

Yes, Thank you.

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.