Open Bug 1904494 Opened 10 days ago Updated 1 day ago

Asseco DS / Certum: Cross-certificate not included in 2024 S/MIME Audit statement

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: kateryna.aleksieieva, Assigned: kateryna.aleksieieva)

Details

(Whiteboard: [ca-compliance] [audit-failure])

Preliminary Incident Report

One of the cross-certificates was not included in the S/MIME 2024 Audit statement unintentionally, which resulted in ALV check-up failure in CCADB. We are working on the full incident report and will publish it by the end of the week.

Assignee: nobody → kateryna.aleksieieva
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Summary: Cross-certificate not included in 2024 S/MIME Audit statement → Asseco DS / Certum: Cross-certificate not included in 2024 S/MIME Audit statement
Whiteboard: [ca-compliance] [audit-failure]

Hello Kateryna,
Can you get your auditor/CAB to re-issue the S/MIME 2024 Audit statement with the cross-certificate included?
Thanks,
Ben

Flags: needinfo?(kateryna.aleksieieva)

(In reply to Ben Wilson from comment #1)

Hello Kateryna,
Can you get your auditor/CAB to re-issue the S/MIME 2024 Audit statement with the cross-certificate included?
Thanks,
Ben

Hi Ben,
Yes, we are working on it, they asked for additional materials which we have provided and one of the requirements was to report the case on Bugzilla portal. We are at the finish line with preparing the re-issue of the S/MIME Audit statement.

Flags: needinfo?(kateryna.aleksieieva)

Incident Report

Summary

Cross-certificate SHA-256 FINGERPRINT 949424DC2CCAAB5E9E80D66E0E3F7DEEB3201C607D4315EF4C6F2D93A917279D was not included in 2024 S/MIME Audit statement

Impact

Cross-certificate was not included in the S/MIME Audit statement unintentionally and resulted in ALV check-up failure in CCADB.

The incident did not affect certificate issuance.

Timeline

2024-01-26:

List of CA certificates for Audit prepared by Certum

2024-04-03:

List of CA certificates for Audit accepted by the Auditor

2024-04-08:

Preliminary S/MIME Audit Statement issued

2024-04-09:

ALV-checkup performed for S/MIME Audit Statement with no error

2024-04-12:

S/MIME Audit Statement issued

2024-04-26:

  • 10:30 ALV-checkup performed for S/MIME Audit Statement with no error

  • 11:22 Audit submitted to CCADB

2024-05-08:

Audit case closed in CCADB

2024-05-09:

Certum has identified an issue with a cross-certificate and made a note in the case in CCADB, informing the community about addressing the matter with the Auditor

2024-05-13:

Auditor was informed about the issue

2024-06-11:

Auditor confirmed that the Audit Statement can be re-issued and prepared the list of requirements necessary for re-issuing the S/MIME Audit Statement

2024-06-21:

Auditor required to provide the root cause analysis and action plan for this error and suggested to report this problem to Root Programs as well

2024-06-25:

This bug has been created

Root Cause Analysis

The primary cause of this issue was a lapse in the verification process during the audit compilation. The Compliance Team did not cross-reference the List of CA certificates for Audit with the Audit Report accurately, resulting in the omission of a cross-certificate in the S/MIME Audit Statement, despite its inclusion in the TLS/ EV TLS/ Code Signing Audit.

The CA list was manually compiled, leading to an error where one cross-certificate was not identified as capable of issuing S/MIME. The verification of the CA list relies on a script that cross-references certificate fingerprints to determine their inclusion in the report. Both preliminary and final reports were checked against the initial list, which contained the error, hence the double-checking by the Compliance Team and Auditor Teams did not catch this specific mistake. In recent years, such issues were not encountered because the CA certificate lists for TLS/ EV TLS/ Code Signing Audit were verified and found to be accurate. This year, the error occurred due to the new S/MIME audit, which led to an incorrect update of the list.

Furthermore, the CCADB ALV check-up was conducted for both preliminary and final audit statements and did not highlight the missing cross-certificate. The intermediate certificate was only identified as missing after the audit was concluded and the case was closed.

The combination of these factors resulted in the cross-certificate being left out of the audit report, and the oversight was not discovered until after the case had been closed.

Lessons Learned

What went well

What didn't go well

  • Relying on the ALV check-up for catching this kind of error was definitely a mistake

Where we got lucky

Action Items

Action Item Kind Due Date
Automated generation of the CA list showing which certificate should belong to which Audit Report Prevent 2024-07-31

Appendix

Details of affected certificates

https://crt.sh/?id=6162016

We have no updates on this bug.

You need to log in before you can comment on or make changes to this bug.