1897569 - IdenTrust: TLS ICA with User Notice in Policy Qualifier

Status: ASSIGNED

(CA Program :: CA Certificate Compliance, task)

Description

[IdenTrust]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36

Steps to reproduce:

Incident Report

Summary

On May 9, 2024, through comment #12 on the IdenTrust Bugzilla bug [1], it came to our attention that an intermediate CA certificate (ICA) had been issued with the "User Notice" policy qualifier within the certificatePolicies extension. This practice is no longer permitted by the Server Baseline Requirements of the CA/Browser Forum (BR) as of September 15, 2023.

Impact

The issuance of an ICA not BR compliant.

Remediation and Reporting

The ICA was promptly revoked, and a process was established to ensure that the Linter tool gets updated with the most current validations.

Timeline

2024-04-16:

The PKI operator created the ICA in a pre-production environment; no issues were flagged when the ICA was run by the Linter tool and the certificate was approved for production issuance.

2024-04-29:

• 13:45 MDT: PKI operations started key-ceremony process to create the ICA in the production environment.
• 15:00 MDT: A malformed self-signed Root CA was created as disclosed on Bugzilla issue[1].
• 15:05 MDT: The PKI operator started a second key-ceremony creating the expected ICA.

2024-05-03:
• 13:00 MDT: The new ICA was uploaded into CCADB

2024-05-09:

• Through comment #12 on the IdenTrust Bugzilla bug [1] we became aware of the issue and
started the process to revoke the ICA.

2024-05-10:

• 12:29 MDT revoked the ICA.

2024-05-13:

• 11:40 MDT: Acknowledged comment #12 on the IdenTrust Bugzilla bug [1] having an issue with the ICA confirming revocation and the need to disclose a separate incident report.

Root Cause Analysis

The Linter tool used to validate certificate issuance failed to detect the discrepancy. Upon further investigation, it was discovered that the version of the Linter tool in use had not been internally updated with the most current validation checks.

Lessons Learned

Ensure that the Linter tool is kept up-to-date to prevent similar issues from occurring in the future.

What went well

Prompt revocation of the ICA once we were made aware of the issue.

What didn't go well

The Linter tool used was not up-to date.

Where we got lucky

• No end-entity certificates were issued from this ICA.
• No other ICAs issued post September 15, 2023, have this issue.

Action Items

|Action Item | Kind | Due Date |
|Update the Linter tool to the latest version and establish a process to keep it up-to-date| Prevent | 2024-06-30

Appendix

Details of affected certificates

https://crt.sh/?id=12942971617

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1895006#c12

Comment 1

[Mathew Hodson]

(In reply to IdenTrust from comment #0)

On May 9, 2024, through comment #12 on the IdenTrust Bugzilla bug [1], it came to our attention that an intermediate CA certificate (ICA) had been issued with the "User Notice" policy qualifier within the certificatePolicies extension. This practice is no longer permitted by the Server Baseline Requirements of the CA/Browser Forum (BR) as of September 15, 2023.

This report is missing important events related to this incident surrounding the new requirement, and therefore I think is missing that element from the root cause analysis.

When did IdenTrust become aware of the proposed change to the BRs?
What ballot was it proposed in and when did it pass?
What actions did IdenTrust take when the ballot passed?
Did IdenTrust review their profiles to ensure compliance with the new requirements?
If so, why wasn't this ICA profile updated to comply?

Comment 2

[IdenTrust]

(In reply to Mathew Hodson from comment #1)

This report is missing important events related to this incident surrounding the new requirement, and therefore I think is missing that element from the root cause analysis.

When did IdenTrust become aware of the proposed change to the BRs?
What ballot was it proposed in and when did it pass?

IdenTrust: we were aware of proposed certificate profiles updates discussions and since February 2023 and on April 2023 when ballot SC-62v2 was adopted to become effective on September 15, 2023.

What actions did IdenTrust take when the ballot passed?

IdenTrust: We have a CA/B F. compliance process in place where approved published CA/B F BRs are reviewed by checking each section to determine if the approved update requires updates to our policy documents( CP/CPS), with human and technical processes in place to ensure that we remain compliant with the BRs. Based on the review results, internal teams are notified to proceed accordingly.

Did IdenTrust review their profiles to ensure compliance with the new requirements?
If so, why wasn't this ICA profile updated to comply?

IdenTrust: Yes, this review took place and the end-entity TLS certificate profiles were updated. The update to the ICA certificate profile was not only a human oversight, but also a failed technical control that should have had the updated linter in place.
We will create more stringent processes to be followed and ensure that updated linters are in place whenever requirements are changed.

Comment 3

[IdenTrust]

We are delaying the implementation of updating the linter tool from June 30, 2024, until July 20, 2024.
Our rationale for this delay is as follows:

• Mitigating Actions Taken: The certificate profile for CA issuance has been corrected to prevent similar occurrences. This significantly reduces the urgency for immediate linter tool implementation.
• Change Control Alignment: Aligning the linting tool update with a scheduled change control window minimizes the potential for disrupting ongoing operations.
We understand the importance of maintaining updated security tools. By July 20th, 2024, we will have completed the linter tool update and implemented a process for ongoing maintenance. This ensures we adhere to best practices and prevent similar issues in the future.