1911335 - PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA

Status: ASSIGNED

(CA Program :: CA Certificate Compliance, task)

Description

[Jochem van den Berge]

Steps to reproduce:

Incident Report

Summary

On September 1, 2023 the requirement to conform to the Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates (SBR) came into effect when Mozilla published Mozilla Root Store policy v2.9. Logius PKIoverheid operates as a SuperCA in which it only issues issuing CAs to governmental and commercial entities (Trust Service Providers, TSPs) and as such enforces any kind of policy (internal and external) via the PKIoverheid Programme of Requirements (PoR), available on https://cp.pkioverheid.nl.

When v2.9 of the MSRSP came into effect Logius already voiced their concerns that the text stated on https://wiki.mozilla.org/CA/Transition_SMIME_BRs would potentially lead to issues because of the short lead time to contract auditors to perform a Period-of-Time (PoT) audit with a start date of September 1, 2023 for some of her issuing CAs due to the fact that preparations for audits usually start several months before the audit period ends and some PKIoverheid issuing CAs had their audit period end around October 30.

Due to this, our reply to the survey regarding MRSP v2.9 compliance indicated that this would take more time (until October 2024). Issuing CAs would either include this required SBR audit in their annual audit, or where the audit period would exceed 365 days, would include this as an additional Period-of-Time (PoT) audit covering SBR controls specifically.

It only recently became clear that the Dutch Ministery of Defense (NL MoD, or MinDef) will be unable to have a PoT S/MIME audit (ETSI EN 319 411-1/2 with ETSI TS 119 411-6) in place before October 2024, and as such will exceed the deadline as communicated in our CCADB Survey response of August 2023.

Impact

Audit information on S/MIME compliance for the CA "Ministerie van Defensie PKIoverheid Organisatie Persoon CA - G3” (see https://crt.sh/?caid=132287) will not become available before January 2025.

Timeline

• 2023-01-01 Adoption of the S/MIME Baseline Requirements by the S/MIME Cert WG of the CA/Browser Forum. This document has a self-declared effective date of September 1, 2023.

• January/February/March 2023: Policy Authority (PA) PKIoverheid met several times with each TSP to assess the impact the SBRGs would have on their operations. Most TSPs indicated to issue no or few S/MIME certificates, however since their CAs have the emailProtection EKU they would need to be compliant to the S/MIME Baseline Requirements. Based on these sessions the PA developed an approach in which TSPs would:

a. migrate to a new non-S/MIME capable CA under the current G3 Root CA or new G4 Root CA, or
b. migrate to a new S/MIME capable CA under the current G3 Root CA which included strict S/MIME policies.

• April 2023: MoD communicated these alternatives were not an option due to operational concerns. As such, talks about MoD-specific alternatives continued over the summer and autumn of 2023.

• September 1, 2023: Mozilla adopted version 2.9 of the Mozilla Root Store Policy (MRSP), which mandated compliance with the S/MIME Baseline Requirements via either Webtrust (WTSM) or ETSI EN 319 411-1/2 with ETSI TS 119 411-6.

• September 2023: Logius voiced concerns (privately and publicly via the CCADB survey) that auditing within the requirement timeframe stated on the wiki page CA/Transition SMIME BRs - MozillaWiki would be infeasible and that the audit results of all TSPs within PKIoverheid would not be available before October 2024.

• October-December 2023: In informal and formal communications between Logius and the TSPs it was stated that S/MIME compliance should be part of the next auditing cycle.

• July 2024: After communications with the MoD, it became clear to the PA PKIoverheid that there would not be a valid audit statement for S/MIME compliance for the MoD within the time frame Logius specified in her response of the CCADB Survey of August 2023.

• August 2, 2024: Filing of this bug.

Root Cause Analysis

After careful analysis and reflection, we concluded the root cause of the audit delay was because of a misjudgement in available audit capacity and that our focus was on future solutions:

• The main focus of PKIoverheid has been on solutions migrating the user base of its TSPs to either single purpose S/MIME CAs with strict policies, or moving to non-S/MIME capable CAs. Arranging a timely Period-of-Time (PoT) S/MIME audit outside of the regular audit cycle was regarded as trivial.

• NL-MOD requires that all personnel, including Conformity Assessment Body auditors, must be vetted by the Dutch Military Intelligence and Security Service (MIVD) in the Netherlands. This is a precise and laborious process especially for foreign entities, including auditors.

• The Netherlands currently has only one accredited and vetted CAB (BSI) which did not have available capacity for an additional PoT S/MIME (ETSI TS 119 411-6) audit.

• Vetting an additional CAB which would have capacity for a timely audit was not feasible in the available timeframe.

• PKIoverheid historically had a labourious process in which changes in standards/requirements were analysed and sent to TSPs via email for verification. During 2023/2024 we have made the switch to using GitHub in which TSPs are party to discussions and changes. This increased agility greatly but the focus was too much on working with the new system and at the same time simplyfing our CP.

• Misjudgement in available audit capacity lead to a delay for the PoT S/MIME (ETSI TS 119 411-6) audit.

Lessons Learned

What went well

• Logius was (and is) in active discussions with TSPs to analyse the impact of the S/MIME Baseline Requirements on their operations and is actively moving to migrate TSPs to CAs either not publicy trusted or to CAs which are single purpose S/MIME CAs (e.g. only S/MIME strict).

What didn't go well

• Our focus was too much on the technical/future use cases and did not take into account the implications for current still valid CAs (“extant CAs”) and their auditing and compliance requirements in enough detail. Originally there was an expectation that all S/MIME-capable CAs would cease issuance and migrate to new CAs before September 1st 2024.

• Between September 1st, 2023 and July 2024 there was insufficient attention from the PA to check current S/MIME compliance preparations and consequently the commitment the PA PKIoverheid gave in the August 2023 CCADB survey. Although tickets/reminders are automatically created for the compliance officer to check TSP audit preparations and results in their yearly audit cycle, these checks were not implemented for the (additional) S/MIME PoT audits.

• Although PKIoverheid TSPs can use any ETSI auditor accredited by an EER NAB, in practice due to constraints like the one mentioned here, there is currently only one auditing firm available as a viable option for the NL MoD.

Where we got lucky

Not applicable.

Action Items

Action Item	Kind	Due Date
Exploration of Sourcing/mandating a backup MoD/TSP auditor	Mitigate	2025-01-30
Creation of a dedicated GitHub repo for compliance which uses GitHub actions to import commits/issues from both Mozilla and CABF repos, all of which will require action/signoff by the compliance officer	Prevent/Detect	2024-08-30
Investigating if it is possible to use these issues to (semi-)automatically create issues for affected TSPs and assign them to a TSP key-user for followup	Prevent/Detect	2024-10-01

Appendix

Not applicable.

Details of affected certificates

"Ministerie van Defensie PKIoverheid Organisatie Persoon CA - G3” (see https://crt.sh/?caid=132287

Comment 1

[Jochem van den Berge]

An status update from our side:

The second action item (a dedicated GitHub repo with auto-import of GitHub issues from both CABF and Mozilla) has been completed. Please find attached an example of a recent sign-off of ballot SMC-08

Comment 2

[Jochem van den Berge]

Attachment: example_compliance_check_SCWMG-SMC08.png