Asseco DS / Certum: Cross-certificate not included in 2024 S/MIME Audit statement
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: kateryna.aleksieieva, Assigned: kateryna.aleksieieva)
Details
(Whiteboard: [ca-compliance] [audit-failure])
Preliminary Incident Report
One of the cross-certificates was not included in the S/MIME 2024 Audit statement unintentionally, which resulted in ALV check-up failure in CCADB. We are working on the full incident report and will publish it by the end of the week.
|
||
Updated•5 months ago
|
|
|
||
Comment 1•5 months ago
|
||
Hello Kateryna,
Can you get your auditor/CAB to re-issue the S/MIME 2024 Audit statement with the cross-certificate included?
Thanks,
Ben
|
Assignee | |
Comment 2•5 months ago
|
||
(In reply to Ben Wilson from comment #1)
Hello Kateryna,
Can you get your auditor/CAB to re-issue the S/MIME 2024 Audit statement with the cross-certificate included?
Thanks,
Ben
Hi Ben,
Yes, we are working on it, they asked for additional materials which we have provided and one of the requirements was to report the case on Bugzilla portal. We are at the finish line with preparing the re-issue of the S/MIME Audit statement.
|
|
Assignee | |
Comment 3•5 months ago
|
||
Incident Report
Summary
Cross-certificate SHA-256 FINGERPRINT 949424DC2CCAAB5E9E80D66E0E3F7DEEB3201C607D4315EF4C6F2D93A917279D was not included in 2024 S/MIME Audit statement
Impact
Cross-certificate was not included in the S/MIME Audit statement unintentionally and resulted in ALV check-up failure in CCADB.
The incident did not affect certificate issuance.
Timeline
2024-01-26:
List of CA certificates for Audit prepared by Certum
2024-04-03:
List of CA certificates for Audit accepted by the Auditor
2024-04-08:
Preliminary S/MIME Audit Statement issued
2024-04-09:
ALV-checkup performed for S/MIME Audit Statement with no error
2024-04-12:
S/MIME Audit Statement issued
2024-04-26:
-
10:30 ALV-checkup performed for S/MIME Audit Statement with no error
-
11:22 Audit submitted to CCADB
2024-05-08:
Audit case closed in CCADB
2024-05-09:
Certum has identified an issue with a cross-certificate and made a note in the case in CCADB, informing the community about addressing the matter with the Auditor
2024-05-13:
Auditor was informed about the issue
2024-06-11:
Auditor confirmed that the Audit Statement can be re-issued and prepared the list of requirements necessary for re-issuing the S/MIME Audit Statement
2024-06-21:
Auditor required to provide the root cause analysis and action plan for this error and suggested to report this problem to Root Programs as well
2024-06-25:
This bug has been created
Root Cause Analysis
The primary cause of this issue was a lapse in the verification process during the audit compilation. The Compliance Team did not cross-reference the List of CA certificates for Audit with the Audit Report accurately, resulting in the omission of a cross-certificate in the S/MIME Audit Statement, despite its inclusion in the TLS/ EV TLS/ Code Signing Audit.
The CA list was manually compiled, leading to an error where one cross-certificate was not identified as capable of issuing S/MIME. The verification of the CA list relies on a script that cross-references certificate fingerprints to determine their inclusion in the report. Both preliminary and final reports were checked against the initial list, which contained the error, hence the double-checking by the Compliance Team and Auditor Teams did not catch this specific mistake. In recent years, such issues were not encountered because the CA certificate lists for TLS/ EV TLS/ Code Signing Audit were verified and found to be accurate. This year, the error occurred due to the new S/MIME audit, which led to an incorrect update of the list.
Furthermore, the CCADB ALV check-up was conducted for both preliminary and final audit statements and did not highlight the missing cross-certificate. The intermediate certificate was only identified as missing after the audit was concluded and the case was closed.
The combination of these factors resulted in the cross-certificate being left out of the audit report, and the oversight was not discovered until after the case had been closed.
Lessons Learned
What went well
What didn't go well
- Relying on the ALV check-up for catching this kind of error was definitely a mistake
Where we got lucky
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Automated generation of the CA list showing which certificate should belong to which Audit Report | Prevent | 2024-07-31 |
Appendix
Details of affected certificates
|
|
Assignee | |
Comment 4•5 months ago
|
||
We have no updates on this bug.
|
|
Assignee | |
Comment 5•5 months ago
|
||
We have no updates on this bug.
|
|
Assignee | |
Comment 6•4 months ago
|
||
We have no updates on this bug.
|
|
Assignee | |
Comment 7•4 months ago
|
||
A script for additional verification of SHA256 fingerprints included in audit reports has been created and tested. As a result, it returns a list of SHA256 fingerprints that were not included in the audit report even though they should have been. We will use it to verify the preliminary and then for final audit reports we receive from auditors.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Automated generation of the CA list showing which certificate should belong to which Audit Report | Prevent | Completed 2024-07-25 |
|
|
Assignee | |
Comment 8•4 months ago
|
||
We have no updates on this bug.
|
|
Assignee | |
Comment 9•4 months ago
|
||
We have no updates on this bug.
|
|
Assignee | |
Comment 10•3 months ago
|
||
We have no updates on this bug.
|
||
Comment 11•3 months ago
|
||
We have no updates on this bug.
|
|
Assignee | |
Comment 12•3 months ago
|
||
We have no updates on this bug.
|
|
||
Comment 13•3 months ago
|
||
I intend to close this on or about Friday, 30-Aug-2024.
|
|
Assignee | |
Comment 14•3 months ago
|
||
As there have been no further questions or updates, could you please look into closing it at your earliest convenience?
Thanks,
Kateryna
|
|
||
Updated•3 months ago
|
Description
•