Closed Bug 1897134 Opened 5 months ago Closed 26 days ago

certSIGN: Findings in 2024 ETSI Audit - Audit Incident Report

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gabriel.petcu, Assigned: gabriel.petcu)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Findings reported in:

LSTI TLS BR Audit Attestation (LSTI_AAL_1612-337-1_V1.0) from 2024-05-08

LSTI TLS EV Audit Attestation (LSTI_AAL_1612-337-2_V1.0) from 2024-05-08.

All the findings were considered by the auditors as minor non-conformities.

Issue #4: Obsolete RFC number in a CPS (ETSI EN 319 401 REQ-6.1-01)

Issue #4 Description: The CPS "Web CA for Qualified Website Authentication Certificates" stipulates in:

  • chapter 1 OID "2.23.140.3.1" as a Policy CABF. But this OID is not a Certificate Policy Identifier.
  • chapter 3.2.2.8 (CAA Records) references RFC 6844, which has been obsoleted by RFC 8659.

Error in a published reference document.

Issue #4 Root Cause of Issue: Misunderstanding of the scope of the references in #1 of the CPS, and a missing replacement on the RFC.

Issue #4 Remediation Plan for this Issue: The CPS had been corrected

Issue #4 Status: Done. Published CPS as version 1.27 from 29.03.2024

Issue #5: Incomplete Risk Analysis (ETSI EN 319 401 REQ-5-01)

Issue #5 Description: The risk’s analysis relies on assumptions that are not always true, or miss to identify input elements potentially having a significant impact (threats, vulnerabilities, incident scenarios), hence bringing some confusion on the final results. In addition, existing risks identified elsewhere as an outcome of various processes in place (e.g. vulnerability scans), and accepted by the team, are not captured in this risk’s analysis.
Lack of confidence on the risks analysis.

Issue #5 Root Cause of Issue: Difference in interpretation of the assumptions for risk analysis

Issue #5 Remediation Plan for this Issue: The Risk Analysis will be improved by taking out all the old risks that are obviously controlled and focusing on the actual risks that need a continuous supervision.

Issue #5 Status: Done.

Issue #6: Missing information assets (ETSI EN 319 401 REQ-7.3.1-02)

Issue #6 Description: An inventory of information assets has been established, information assets are identified together with classification levels, which recall the “impact” levels as identified in the risk analysis. However, some important assets are still missing from this list, such as the backups, the published reference documentation, or the archives of the signature validation service. In addition, the granularity level of the current identified assets does not allow to make the distinction between assets to which the security needs may be different (e.g. data needing confidentiality or integrity protection).
Inventory not complete, leading to a potential mismatch between the security needed of an asset and its protection level.

Issue #6 Root Cause of Issue: The informational assets had been considered at a too high level

Issue #6 Remediation Plan for this Issue: A review of the potential missing granularity of the existing/missing informational assets will be done and the inventory will be updated accordingly.

Issue #6 Status: Done.

Assignee: nobody → gabriel.petcu
Whiteboard: [ca-compliance] [audit-finding]
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

We have no additional remediation items and consider the audit findings resolved unless there are further questions.

I intend to close this on or about Friday, 26-July-2024, unless there are any questions or issues raised.

Flags: needinfo?(bwilson)

Thank you for the original report, but we would like to request an update that improves the level of detail surrounding these findings and the root cause of each. In almost all cases, the “Root Cause of Issue" content in this report is a brief description of what was found to be non-conformant. We would encourage you to explore why the misunderstandings, differences in interpretations, and incorrect considerations occurred.

From CCADB.org: “The Root Cause Analysis section must contain a detailed analysis of the conditions which combined to give rise to the issue. It is unusual for an incident to have a single root cause; often there must be a confluence of several issues such as a software bug, insufficient checks, and a malformed request. Make sure that all contributing causes are identified and described, including noting when they first arose and how they avoided detection until they were discovered or identified."

  1. In the next update, please minimally make sure the Root Cause Analysis is updated to better consider the above criteria.
  2. Additionally, did you intend to attach the audit reports here?

I'll hold off closing this and remove my need-info.

Flags: needinfo?(bwilson)

(In reply to Chris Clements from comment #3)

The links to the audits public info are reported in the CCDAB. Explicitly, the links can be located in CCADB Case 00001838 “2024 Audit certSIGN - ETSI”. The detailed audit report is not public, so we will provide the requested information on a need-to-know basis.

Issue #4 Obsolete RFC number in a CPS (ETSI EN 319 401 REQ-6.1-01)
Issue #4 Description: The CPS "Web CA for Qualified Website Authentication Certificates" stipulates in:
• chapter 1 OID "2.23.140.3.1" as a Policy CABF. But this OID is not a Certificate Policy Identifier.
• chapter 3.2.2.8 (CAA Records) references RFC 6844, which has been obsoleted by RFC 8659.
Error in a published reference document.
Extras from the “Web CA for Qualified Website Authentication Certificates” v1.26 of 31 Jan.2024:
• CA/B Forum Baseline Requirements (Policy CABF:2.23.140.3.1)
Extras from the “Web CA for Qualified Website Authentication Certificates” v1.27 of 31 Mar.2024:
• CA/B Forum Baseline Requirements (CABF extension:2.23.140.3.1)
Issue #4 Root Cause of Issue: Misunderstanding of the scope of the references in #1 of the CPS, and a missing replacement on the RFC.
Detailed explanation:
For the first bullet, on the CABF OID, we argued with our auditors that in the latest version of “Baseline Requirements for the Issuance and Management of Publicly‐Trusted TLS Server Certificates”, in chapter 7.1.6.1 “Reserved Certificate Policy Identifiers” it is stipulated:
“The following Certificate Policy identifiers are reserved for use by CAs as an optional means of
asserting that a Certificate complies with these Requirements.”
And the last reserved policy identifier is:
“{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) ev-guidelines(1)} (2.23.140.1.1)”
Our auditors insisted to change in the CPS “Policy CABF” with “CABF extension”, and we changed it in next version (v1.27).
So the root cause for this issue was a missinterpretation or misunderstanding of the OID naming in the CPS list of compliances, against the auditors interpretation.

On the second bullet, on the RFC reference, the Baseline Requirements mentioned in #3.2.2.8 references to RFC 6844 until version 1.7.2 and changed it to RFC 8659 from version 1.7.3.
The root cause is the failure to update the RFC number, after it had been updated in the Baseline Requirements. This failure was attributted not only to the persons in the role of CPS editors, but also to the verifiers and approvers of the documents.

Issue #4 Remediation Plan for this Issue: The CPS had been corrected and the persons in roles related to editing, verifying and approving the CPSes, as well as other public documents, had been assigned for supplemental trainings. Additionally we sustained weekly meetings for reviewing and updating the CPS documents against the standards and regulations.
Issue #4 Status: Done. Published CPS as version 1.27 from 29.03.2024

Issue #5: Incomplete Risk Analysis (ETSI EN 319 401 REQ-5-01)
Issue #5 Description: The risk’s analysis relies on assumptions that are not always true, or miss to identify input elements potentially having a significant impact (threats, vulnerabilities, incident scenarios), hence bringing some confusion on the final results. In addition, existing risks identified elsewhere as an outcome of various processes in place (e.g. vulnerability scans), and accepted by the team, are not captured in this risk’s analysis.
Lack of confidence on the risks analysis.

Issue #5 Root Cause of Issue: Difference in interpretation of the assumptions for risk analysis
Detailed explanation:
certSIGN team responsible for the risk analysis considered the risks for all certSIGN Business Units and Departments, as an interrelated high level system that should be analyzed and managed consistently for all the different specific systems and sub-systems.
This approach, even that is efficient and effective for certSIGN, may be difficult to understand for the auditors that require only a specific system set of risks to be described during the life-cycle of risk management.
For the auditors, some of the threats analyzed were not needed, while others were too much detailed. The same threats were considered required to be in the risk management of all certSIGN activities, by certSIGN risk team.
This is the root cause of this issue. certSIGN Risk team understood the position of the auditors and planned to re-organize the risk management life-cycle correspondingly, as requested.

Issue #5 Remediation Plan for this Issue: The Risk Analysis will be improved by taking out all the old risks that are obviously controlled and focusing on the actual risks that need a continuous supervision.
Issue #5 Status: Done.

Issue #6: Missing information assets (ETSI EN 319 401 REQ-7.3.1-02)
Issue #6 Description: An inventory of information assets has been established, information assets are identified together with classification levels, which recall the “impact” levels as identified in the risk analysis. However, some important assets are still missing from this list, such as the backups, the published reference documentation, or the archives of the signature validation service. In addition, the granularity level of the current identified assets does not allow to make the distinction between assets to which the security needs may be different (e.g. data needing confidentiality or integrity protection).
Inventory not complete, leading to a potential mismatch between the security needed of an asset and its protection level.
Issue #6 Root Cause of Issue: The informational assets had been considered at a too high level
Detailed explanation:
certSIGN IT team started to use a new tool, for the management of the assets, and transferred the assets data, that was stored in Excel files, into this tool. During the transfer process, when the data for the informational assets was transferred, the available structures planned for hardware and software equipments, were not appropriate for all the categories of the informational assets. So only the top informational assets categories were added.
The root cause was relying on the new tool without a proper preparation for all the categories needed. certSIGN team added to the tool only the top categories for the informational assets, and continue to use the excel sheets for the low level categories, with a risk for inconsistency.

Issue #6 Remediation Plan for this Issue: A review of the potential missing granularity of the existing/missing informational assets will be done and the inventory will be updated accordingly.
Issue #6 Status: Done.

We have no additional remediation items and consider the audit findings resolved unless there are further questions.

We have no additional remediation items and consider the audit findings resolved unless there are further questions.

I will close this on or about Friday, 6-Sept-2024, unless I receive notice otherwise.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 26 days ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.