Firmaprofesional: Policy Qualifiers other than id-qt-cps present for certificate
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: ext-antoni.camon, Assigned: ext-antoni.camon)
Details
(Whiteboard: [ca-compliance] [ov-misissuance])
Attachments
(1 file)
|
15.11 KB,
text/plain
|
Details |
On April 2nd, Firmaprofesional was informed by Sectigo that we issued a TLS certificate (https://crt.sh/?id=11203831392) that does not comply with BR 7.1.2.7.9.
In response to this notification, we have initiated an internal investigation to understand the root causes of this non-compliance. We have successfully verified that all newly issued certificates are in compliance. This is a preliminary report. We will provide a comprehensive report of the incident, including findings from our internal investigation, through this bug as soon as possible.
We would like to thank Sectigo for the notification.
|
Assignee | |
Comment 1•6 months ago
|
||
After receiving the communication from SECTIGO yesterday, today at 13:27 CEST, the certificate indicated in the email has been revoked.
https://crt.sh/?id=11203831392
|
|
Assignee | |
Comment 2•6 months ago
|
||
|
|
Assignee | |
Comment 3•6 months ago
|
||
Incident Report
Summary
On April 2nd, 2024, Sectigo notified us of regulatory non-compliance. We became aware that since September 15th, 2023, we have issued certificates including Policy Qualifiers other than id-qt-cps.
These certificates contain the id-qt-unotice type qualifier which is in violation of BR 7.1.2.7.9 of the CAB/Forum Baseline Requirements, version 2.0.0.
Impact
Fortunately, given the nature of the incident, there is NO impact in terms of security, usability, compatibility, or business, neither for Firmaprofesional's clients nor for the Community.
The total number of affected certificates is 499, issued between the dates 2023-09-15 00:00 and 2023-12-05 15:00, grouped as follows:
SSL OV - 342
SSL EV/QWAC - 157
Timeline
All times are UTC.
2023-09-15
Effective date of Certificate Profiles Update defined in the Baseline Requirements v2.0.0.
2023-12-05
14:00 All SSL certificate profiles are modified so that the first PolicyInformation value within the CertificatePolicies extension contains the Reserved Certificate Policy Identifier, User Notice is removed from the CertificatePolicies extension.
2023-12-16
ZLint v3.6.0-rc1 published including the lint e_policy_qualifiers_other_than_cps_not_permitted
2024-01-22
Zlint v.3.6.0 deployed in production
2024-04-02:
15:47 Sectigo reports us that there is a certificate that was issued by Firmaprofesional that does not comply with the TLS BRs, emphasizing that this was an incident and required to open an Incident Report https://crt.sh/?id=11203831392&opt=zlint
2024-04-03:
09:48 Support escalates the ticket to the compliance department.
10:15 The issuance of all SSL certificates is suspended.
11:00 Firmaprofesional committee meets and confirms that the issue is not occurring at the moment and an investigation into the matter begins.
12:00 SSL issuance is resumed.
2024-04-04:
13:27 The SSL certificate mentioned in the email sent by SECTIGO is revoked.
14:30 The investigation finds 499 affected certificates, of which 490 are still valid.
15:00 Preparations for communications to clients begin. The certificates will be revoked in 5 days.
Root Cause Analysis
The company Firmaprofesional was acquired in October 2022 by the Spanish fund MCH, becoming part of the Logalty Group.
Although its legal personality, technical team, and systems remained unchanged, the merger of other cross-functional areas, such as the COMPLIANCE area, began, along with the departure of COMPLIANCE personnel from Firmaprofesional.
Despite having outsourced an external service for identifying and communicating changes in the regulations applicable to Firmaprofesional's activities, this change was not detected by the external company, nor by internal staff, due to organizational errors.
From a technical standpoint, we used Zlint 3.5.0 during the issuance of the certificates. The last version available as of June 11, at the moment did not identify the presence of the userNotice field as an issue. Firmaprofesional always utilizes the latest final publicly released version of Zlint in the production environment.
Lessons Learned
What went well
Upon receiving the communication from SECTIGO, immediate efforts were undertaken to address the issue with the specified certificate, resulting in its swift revocation.
Additionally, the Operations Department maintains constant and effective communication with the rest of the affected clients, providing solutions that are as minimally disruptive as possible.
We are working at full capacity to address the incident, resolve customer inquiries and suggestions, and ensure that their services are not disrupted
What didn't go well
The changes introduced in version 2.0.0 of the BRG in April were not detected by the team members responsible for monitoring new updates.
During the last quarter of the year, there were changes in the team responsible for these alerts, with some team members leaving.
Furthermore, the subcontracted company responsible for these updates also did not notify us of the changes.
Where we got lucky
Fortunately, given the nature of the non-conformity, it has no impact whatsoever in terms of security, usability, compatibility, or business, neither for Firmaprofesional's clients nor for the Community.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Deployment of a cross-functional change management procedure (1) | Prevent | 2024-06-30 |
| Enhanced monitoring of all applicable technical requirements and regulatory changes. (2) | Prevent | 2024-04-08 |
| Automated deployment of linters' Release Candidates on preproduction environments. | Detect | 2024-04-30 |
| Periodic post issuance linting from a random sample of certificates. | Detect | 2024-05-31 |
(1): From top management, there has been an impetus for the creation of an Integrated Cross-Functional Management System for the entire group, in which the central procedure is change management.
This procedure includes all applicable technical requirements and regulatory changes and defines the notification and action circuit, including clear roles and responsibilities.
(2): In addition to the contracted external monitoring, this task is reinforced with internal surveillance. Reports on updates made to the BRG will be compiled and presented to the affected parties within the company during weekly meetings.
Appendix
The affected certificate list is attached.
Details of affected certificates
|
|
Assignee | |
Comment 4•6 months ago
|
||
We have successfully revoked 498 of the 499 certificates.
It has not been possible to revoke one of the affected certificates because, despite our warning that our certificates should be able to be replaced within less than 24 hours and that they should not be used in critical systems, our client has internally configured it in such a way that it is essential for various critical systems in hospitals and health centers of a public administration. A new certificate has been issued and has already been received by the client. The client has communicated to us their intention to resolve this situation as quickly as possible. We are actively assisting them. We are opening a delayed revocation bug.
|
||
Updated•6 months ago
|
(In reply to ext-antoni.camon from comment #3)
Action Items
Action Item Kind Due Date Enhanced monitoring of all applicable technical requirements and regulatory changes. (2) Prevent 2024-04-08 Automated deployment of linters' Release Candidates on preproduction environments. Detect 2024-04-30
Can you confirm that these action items are complete?
|
|
Assignee | |
Comment 6•5 months ago
|
||
Hi Wayne,
The surveillance in reviewing documentation coming from applicable standards has been strengthened. Two people from the Compliance Area investigate and study changes in recent regulations to produce internal reports for other affected areas such as "product" and "operations," among others.
We confirm that we have successfully configured auto-deployment on new linter releases for our pre-production environments.
|
|
Assignee | |
Comment 7•3 months ago
|
||
We confirm that we have successfully configured periodic post-issuance linting on the given date, using a random sample of certificates with pkilint, zlint, and certlint.
|
|
||
Comment 8•1 month ago
|
||
Are there any other comments or questions, or can this bug be closed?
|
|
||
Comment 10•1 month ago
|
||
I will schedule this bug for closure on or about Wed. 4-Sept-2024.
|
|
||
Updated•28 days ago
|
Description
•