ACCV: Delayed revocation of TLS certificates affected by bug #1884532
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: jamador, Assigned: jamador)
Details
(Whiteboard: [ca-compliance] [leaf-revocation-delay])
Incident Report
This is a preliminary report.
Summary
There is a non-compliance with point 4.9.1.1.1 of the BR in the
https://bugzilla.mozilla.org/show_bug.cgi?id=1884532
due to the existence of certificates that were revoked after the deadline.
Impact
All certificates affected by the original incident (#1884532) are also affected by this incident. All certificates have been revoked.
Timeline
All times are UTC.
The provided timeline focuses solely on the events related to the delayed revocation.
2024-03-04:
- An external observer sent a personal e-mail to the account accv@accv.es indicating a possible problem with the issuance. This email was not prioritised as urgent and was passed on for routine review by the support team.
2024-03-09:
- 08:30 After a routine review of the incidents received and referred to the compliance office, a warning is detected involving incorrectly issued certificates.
2024-03-14:
- 08:30 All certificates have been revoked
Root Cause Analysis
What applies from point 4.9.1.1 of the BR:
“With the exception of Short-lived Subscriber Certificates, the CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days and use the corresponding CRLReason (see Section 7.2.2) if one or more of the following occurs: 12. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement (CRLReason #4, superseded);”
In this case, and although ACCV was in a position to revoke in five days, the delay in processing the notification has meant that it takes more than five days to carry out the whole process. We thought, and it may be a translation error, that the time period started to run from the moment the CA realised about the problem (on 2024-03-09 08:30AM).
Lessons Learned
What went well
All certificates are revoked five days after the start of the revocation process.
What didn't go well
The delay in receiving the mail from the compliance officers has meant that for several days we have not been aware of the error, and have not initiated the process of contacting the users and revoking the certificates.
Where we got lucky
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Create an e-mail address only for communications from the Problem Reporting Mechanism that will go directly to the people responsible for these issues. ACCV will open a case in the CCADB to request it. The actions to be taken to avoid this delay come from those indicated in bug #1886785. | Prevent | 2024-03-25 |
| ----------- | ---- | -------- |
Appendix
Based on Incident Reporting Template v. 2.0
|
||
Updated•1 year ago
|
|
Assignee | |
Comment 1•1 year ago
|
||
ACCV has opened a case in CCADB for the modification of the email address associated with the problem report mechanism from accv@accv.es to problem_reporting@accv.es. The change is pending confirmation from the root store reviewer.
|
|
Assignee | |
Comment 2•1 year ago
|
||
The reviewer has confirmed the mechanism for reporting problems in the CCADB. The new e-mail address is problem_reporting@accv.es
Action Items
| Action Item | Kind | Status | Due Date |
|---|---|---|---|
| Create an e-mail address only for communications from the Problem Reporting Mechanism that will go directly to the people responsible for these issues. ACCV will open a case in the CCADB to request it. The actions to be taken to avoid this delay come from those indicated in bug #1886785. | Prevent | Done | 2024-03-25 |
|
|
Assignee | |
Comment 3•1 year ago
|
||
No further action is pending. We are monitoring this bug for further comments or questions.
|
|
Assignee | |
Comment 4•1 year ago
|
||
No further action is pending. We are monitoring the bug until it is closed.
Can you confirm the original report is not preliminary but final?
|
|
Assignee | |
Comment 6•1 year ago
|
||
Yes, the report is final. When copying the template it was included as a preliminary report by mistake. Sorry for not noticing.
|
|
||
Comment 7•1 year ago
|
||
Is there any reason why this bug/incident cannot be closed?
|
|
||
Updated•1 year ago
|
Description
•