Amazon Trust Services: CRL not DER-encoded
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: agwa-bugs, Assigned: trevolip)
Details
(Whiteboard: [ca-compliance] [crl-failure] [external])
Amazon Trust Services has issued the following certificate:
https://crt.sh/?sha256=40FE28DC925D1A8A6B8F861863EB57CD30C6776416AB8A99920BAC7C925A4174
Containing the following CRL distribution point:
URI:http://crl.rootca2.amazontrust.com/rootca2.crl
This URI returns a PEM-encoded CRL. This is a violation of RFC5280 section 4.2.1.13, which states:
When the HTTP or FTP URI scheme is used, the URI MUST point to a single DER encoded CRL as specified in [RFC2585].
Updated•2 months ago
|
Assignee | ||
Comment 1•2 months ago
|
||
Acknowledging this issue. Amazon Trust Services will reply with more details after a deeper analysis.
Assignee | ||
Comment 2•2 months ago
|
||
Incident Report
Summary
We made a recent change from a manual to a fully automated deployment process for our Root CRLs. Our previous manual process relied on an upload script that would have failed if the engineer attempted to upload anything other than a DER formatted CRL.
Impact
The CRL that was being served was in PEM format, not DER as required by Section 4.2.1.13 of RFC 5280.
Timeline
All times are UTC.
2024-08-09 22:31:45 - Deployed new CRL to http://crl.rootca2.amazontrust.com/rootca2.crl
2024-08-20 - ATS reviews CRLWatch as part of a regular review. Observes that CRLWatch has an error for parsing of http://crl.rootca2.amazontrust.com/rootca2.crl. Verifies that CRL file can be parsed. Note is made to check at next regular review to see if the error is a false positive.
2024-08-28 20:06 - Next regular review occurs. CCADB Incident identified.
2024-08-28 22:13 - Updated CRL in correct format completes deployment.
Root Cause Analysis
Lessons Learned
What went well
- We did find this in a regular review and would have addressed it after the planned follow up during which we also identified there was an incident report for the same issue.
What didn't go well
- We didn’t have an alarm on formatting failures.
Where we got lucky
Action Items
Action Item | Kind | Due Date |
---|---|---|
Add an alarm for formatting failures on CRL | Prevent | Completed |
Appendix
Details of affected certificates
N/A
Updated•2 months ago
|
Assignee | ||
Comment 3•2 months ago
|
||
We have no further action items for this report. We'd like to request this issue closed as resolved.
Updated•2 months ago
|
Assignee | ||
Comment 4•2 months ago
|
||
Amazon Trust Services is monitoring this issue for comments or questions. We have no further action items for this report. We'd like to request this issue closed as resolved.
Comment 5•2 months ago
|
||
If there are no questions, comments, or additional recommendations, I intend to close this on or about next Wednesday, 18-Sept-2024.
Updated•2 months ago
|
Description
•