Open
Bug 1901270
Opened 27 days ago
Updated 3 days ago
Entrust: Action Items from June 2024 Report
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
ASSIGNED
People
(Reporter: bwilson, Assigned: bwilson)
Details
(Whiteboard: [ca-compliance] [meta])
This is a "meta" bug for capturing and tracking all action items listed in Entrust's June 2024 Report.
|
Assignee | |
Updated•27 days ago
|
Status: NEW → ASSIGNED
|
||
Comment 1•27 days ago
|
||
We will use this bug to track the progress of the action items included in our report. Please limit comments on this bug to those about the progress of our action items or use the Mozilla dev-security-policy mailing list to comment.
PEOPLE
| Action Item | Kind | Due Date |
|---|---|---|
| Change organizational structure to enhance support, governance, and resourcing for compliance team | Prevent | Complete |
| Engage external consultants to review compliance changes | Prevent | Complete |
| Increase team assigned to execute CA/B Forum requirements and expectations | Prevent | Complete |
PROCESS
| Action Item | Kind | Due Date |
|---|---|---|
| Establish cross-functional change control board | Prevent | Complete |
| Review and update CCADB policy to ensure inclusion of CA owner page. | Prevent | Complete |
| Implement robust cross-functional change control process to cover full lifecycle planning and execution of changes for public trust certificates | Prevent | 2024-06-30 |
| Create matrix of external standards for public-trust operations and products | Prevent | 2024-06-30 |
| Implement Compliance by Design checklist to ensure requirements are considered at the inception of the design or design modification process | Prevent | 2024-06-30 |
| Implement formal incident response process including incident response communication plan to meet mandatory reporting times | Prevent | 2024-06-30 |
| Implement specific handling processes for internal as well as external (CPR) reports | Prevent | 2024-06-30 |
| Review verification process for all certificate types | Prevent | 2024-06-30 |
| Create formal revocation event handling process | Prevent | 2024-06-30 |
| Establish delayed revocation criteria | Prevent | 2024-06-30 |
| Create revocation event communication plan | Prevent | 2024-06-30 |
| Launch communication and education to subscribers on requirements for public trust certificates | Prevent | 2024-07-31 |
| Establish clearer naming conventions for certificate profiles to reduce potential errors | Prevent | 2024-07-31 |
TECHNOLOGY
| Action Item | Kind | Due Date |
|---|---|---|
| Run pkilint against all CRLs | Detect | Complete |
| Update CRL generation software installed for online and offline CRL systems. Issued and published CRLs. | Correct | Complete |
| Update automated test to cover the added requirement. | Prevent | Complete |
| Set up plan for periodically reviewing forked libraries. Release note patches. | Detect | Complete |
| Reconfigure OCSP responders to sign with SHA-256 and added OCSP Watch to daily monitoring. | Detect | Complete |
| Implement daily testing protocol to ensure efficacy of linters for public certificates | Mitigate | Complete |
| Deploy pkilint as a post-issuance linter for EV certs | Detect | Complete |
| Update TLS BR EKU checking zlint | Mitigate | Complete |
| Expand use of linters for other cryptographic or compliance objects | Detect | Complete |
| Expand use of linters post-issuance for all certificate types | Detect | Complete |
| Expand use of linters pre-issuance for all certificate types | Detect | 2024-07-31 |
| Implement ACME ARI | Mitigate | 2024-07-31 |
| Implement additional input validation controls to prevent invalid combinations of jurisdiction fields | Mitigate | 2024-07-31 |
| Implement ARI capabilities via API to integrate with clients that use our API | Mitigate | 2024-07-31 |
| Implement flag for CPRs coming into Support case management system | Prevent | 2024-08-31 |
| Automate CPR form to collect all required information at the outset from the reporter rather than relying solely on email | Prevent | 2024-08-31 |
|
|
||
Comment 2•14 days ago
|
||
There are no updates to the action item list at this time.
|
|
||
Comment 3•13 days ago
|
||
Here is an update of the Improvement Measures per the report posted at https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LhTIUMFGHNw/m/5wMgFvmhAAAJ.
Improvement Measures
| Action Items | Kind | Target Completion |
|---|---|---|
| PEOPLE | ||
| Change organizational structure to enhance support, governance, and resourcing for compliance team | Prevent | Complete |
| Engage external consultants to review compliance changes | Prevent | Complete |
| Increase team assigned to execute CA/B Forum requirements and expectations | Prevent | Complete |
| PROCESS | ||
| Establish cross-functional change control board | Prevent | Complete |
| Review and update CCADB policy to ensure inclusion of CA owner page. | Prevent | Complete |
| Implement robust cross-functional change control process to cover full lifecycle planning and execution of changes for public trust certificates | Prevent | 2024-06-30 |
| Create matrix of external standards for public-trust operations and products | Prevent | 2024-06-30 |
| Implement Compliance by Design checklist to ensure requirements are considered at the inception of the design or design modification process | Prevent | 2024-06-30 |
| Implement formal incident response process including incident response communication plan to meet mandatory reporting times | Prevent | 2024-06-30 |
| Implement specific handling processes for internal as well as external (CPR) reports | Prevent | 2024-06-30 |
| Implement process during incident review to stop issuing certificates when a mis-issuance event has been confirmed. | Prevent | 2024-06-30 |
| Review verification process for all certificate types | Prevent | 2024-06-30 |
| Create formal revocation event handling process | Prevent | 2024-06-30 |
| Create revocation event communication plan | Prevent | 2024-06-30 |
| Launch communication and education to subscribers on requirements for public trust certificates | Prevent | 2024-07-31 |
| Establish clearer naming conventions for certificate profiles to reduce potential errors | Prevent | 2024-07-31 |
| Work with all stakeholders to resolve conflict between subscribers required to use public certificates and prevented from meeting revocation timelines. | Prevent | 2024-10-31 |
| TECHNOLOGY | ||
| Run pkilint against all CRLs | Detect | Complete |
| Update CRL generation software installed for online and offline CRL systems. Issued and published CRLs. | Prevent | Complete |
| Update automated test to cover the added requirement. | Prevent | Complete |
| Set up plan for periodically reviewing forked libraries. Release note patches. | Detect | Complete |
| Reconfigure OCSP responders to sign with SHA-256 and added OCSP Watch to daily monitoring. | Detect | Complete |
| Implement daily testing protocol to ensure efficacy of linters for public certificates | Mitigate | Complete |
| Deploy pkilint as a post-issuance linter for all public certificates | Detect | Complete |
| Update TLS BR EKU checking zlint | Mitigate | Complete |
| Expand use of linters for other cryptographic or compliance objects | Detect | Complete |
| Expand use of linters post-issuance for all certificate types | Detect | Complete |
| Expand use of linters pre-issuance for all certificate types | Detect | 2024-07-31 |
| Implement ARI with full support of the IETF draft for ACME ARI | Mitigate | 2024-07-31 |
| Implement additional input validation controls to prevent invalid combinations of locality fields | Mitigate | 2024-07-31 |
| Add support in our backend systems to allow us to tag any certificate as being affected by an incident and trigger an immediate indication via ARI that affected certificates should be replaced immediately | Mitigate | 2024-07-31 |
| Make equivalent changes to our REST API to allow integrators to act in the same way as an ACME client to receive an indication when a certificate should be replaced, both for normal replacement and in cases of incidents | Mitigate | 2024-07-31 |
| Implement flag for CPRs coming into Support case management system | Prevent | 2024-08-31 |
| Automate CPR form to collect all required information at the outset from the reporter rather than relying solely on email | Prevent | 2024-08-31 |
|
||
Comment 4•3 days ago
|
||
Here is a status update of the Improvement Measures.
Improvement Measures
| Action Items | Kind | Target Completion |
|---|---|---|
| PEOPLE | ||
| Change organizational structure to enhance support, governance, and resourcing for compliance team | Prevent | Complete |
| Engage external consultants to review compliance changes | Prevent | Complete |
| Increase team assigned to execute CA/B Forum requirements and expectations | Prevent | Complete |
| PROCESS | ||
| Establish cross-functional change control board | Prevent | Complete |
| Review and update CCADB policy to ensure inclusion of CA owner page. | Prevent | Complete |
| Implement robust cross-functional change control process to cover full lifecycle planning and execution of changes for public trust certificates | Prevent | Complete |
| Create matrix of external standards for public-trust operations and products | Prevent | Complete |
| Implement Compliance by Design checklist to ensure requirements are considered at the inception of the design or design modification process | Prevent | Complete |
| Implement formal incident response process including incident response communication plan to meet mandatory reporting times | Prevent | Complete |
| Implement specific handling processes for internal as well as external (CPR) reports | Prevent | Complete |
| Implement process during incident review to stop issuing certificates when a mis-issuance event has been confirmed. | Prevent | Complete |
| Review verification process for all certificate types | Prevent | Complete |
| Create formal revocation event handling process | Prevent | Complete |
| Create revocation event communication plan | Prevent | Complete |
| Launch communication and education to subscribers on requirements for public trust certificates | Prevent | 2024-07-31 |
| Establish clearer naming conventions for certificate profiles to reduce potential errors | Prevent | 2024-07-31 |
| Work with all stakeholders to resolve conflict between subscribers required to use public certificates and prevented from meeting revocation timelines. | Prevent | 2024-10-31 |
| TECHNOLOGY | ||
| Run pkilint against all CRLs | Detect | Complete |
| Update CRL generation software installed for online and offline CRL systems. Issued and published CRLs. | Prevent | Complete |
| Update automated test to cover the added requirement. | Prevent | Complete |
| Set up plan for periodically reviewing forked libraries. Release note patches. | Detect | Complete |
| Reconfigure OCSP responders to sign with SHA-256 and added OCSP Watch to daily monitoring. | Detect | Complete |
| Implement daily testing protocol to ensure efficacy of linters for public certificates | Mitigate | Complete |
| Deploy pkilint as a post-issuance linter for all public certificates | Detect | Complete |
| Update TLS BR EKU checking zlint | Mitigate | Complete |
| Expand use of linters for other cryptographic or compliance objects | Detect | Complete |
| Expand use of linters post-issuance for all certificate types | Detect | Complete |
| Expand use of linters pre-issuance for all certificate types | Detect | 2024-07-31 |
| Implement ARI with full support of the IETF draft for ACME ARI | Mitigate | 2024-07-31 |
| Implement additional input validation controls to prevent invalid combinations of locality fields | Mitigate | 2024-07-31 |
| Add support in our backend systems to allow us to tag any certificate as being affected by an incident and trigger an immediate indication via ARI that affected certificates should be replaced immediately | Mitigate | 2024-07-31 |
| Make equivalent changes to our REST API to allow integrators to act in the same way as an ACME client to receive an indication when a certificate should be replaced, both for normal replacement and in cases of incidents | Mitigate | 2024-07-31 |
| Implement flag for CPRs coming into Support case management system | Prevent | 2024-08-31 |
| Automate CPR form to collect all required information at the outset from the reporter rather than relying solely on email | Prevent | 2024-08-31 |
You need to log in
before you can comment on or make changes to this bug.
Description
•