Closed Bug 1914893 Opened 3 months ago Closed 2 months ago

Amazon Trust Services: CRL not DER-encoded

Categories

(CA Program :: CA Certificate Compliance, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: agwa-bugs, Assigned: trevolip)

Details

(Whiteboard: [ca-compliance] [crl-failure] [external])

Amazon Trust Services has issued the following certificate:

https://crt.sh/?sha256=40FE28DC925D1A8A6B8F861863EB57CD30C6776416AB8A99920BAC7C925A4174

Containing the following CRL distribution point:

URI:http://crl.rootca2.amazontrust.com/rootca2.crl

This URI returns a PEM-encoded CRL. This is a violation of RFC5280 section 4.2.1.13, which states:

When the HTTP or FTP URI scheme is used, the URI MUST point to a single DER encoded CRL as specified in [RFC2585].

Assignee: nobody → trevolip
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [crl-failure]

Acknowledging this issue. Amazon Trust Services will reply with more details after a deeper analysis.

Incident Report

Summary

We made a recent change from a manual to a fully automated deployment process for our Root CRLs. Our previous manual process relied on an upload script that would have failed if the engineer attempted to upload anything other than a DER formatted CRL.

Impact

The CRL that was being served was in PEM format, not DER as required by Section 4.2.1.13 of RFC 5280.

Timeline

All times are UTC.

2024-08-09 22:31:45 - Deployed new CRL to http://crl.rootca2.amazontrust.com/rootca2.crl
2024-08-20 - ATS reviews CRLWatch as part of a regular review. Observes that CRLWatch has an error for parsing of http://crl.rootca2.amazontrust.com/rootca2.crl. Verifies that CRL file can be parsed. Note is made to check at next regular review to see if the error is a false positive.
2024-08-28 20:06 - Next regular review occurs. CCADB Incident identified.
2024-08-28 22:13 - Updated CRL in correct format completes deployment.

Root Cause Analysis

Lessons Learned

What went well

  • We did find this in a regular review and would have addressed it after the planned follow up during which we also identified there was an incident report for the same issue.

What didn't go well

  • We didn’t have an alarm on formatting failures.

Where we got lucky

Action Items

Action Item Kind Due Date
Add an alarm for formatting failures on CRL Prevent Completed

Appendix

Details of affected certificates

N/A

Whiteboard: [ca-compliance] [crl-failure] → [ca-compliance] [crl-failure] [external]

We have no further action items for this report. We'd like to request this issue closed as resolved.

Flags: needinfo?(bwilson)

Amazon Trust Services is monitoring this issue for comments or questions. We have no further action items for this report. We'd like to request this issue closed as resolved.

If there are no questions, comments, or additional recommendations, I intend to close this on or about next Wednesday, 18-Sept-2024.

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.