Closed Bug 1921424 Opened 11 months ago Closed 9 months ago

SwissSign: Findings in 2024 Audit

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sandy.balzer, Assigned: sandy.balzer)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Initial Audit Incident Report

Summary

SwissSign reports this initial audit incident report for the findings of the 2024 audit.
The audit attestation letter from 4 September 2024 can be found under this link:
https://it-tuv.com/wp-content/uploads/2024/09/AA2024090401_SwissSign_Standard_Audit_V1.0.pdf
We will post the full report in the next two weeks with all the details.

Finding #1

Access Control: SwissSign shall develop a way to keep the tokens for the PEM device secure and safe [ETSI EN 319 401, REQ-7.4-04A]

Finding #2

Human Resources: SwissSign shall perform the training, internally to all relevant employees for the mis-issuance procedure [ETSI EN 319 401, REQ-7.2-02]

Finding #3

Media handling: SwissSign shall implement a rule in order for customer documents to be deleted after the application has been processed or after a certain period of time. [ETSI EN 319 401, REQ-7.3.2-01]

Finding #4

Operation security: SwissSign shall implement a process that applies dual control in the DSS. [ETSI EN 319 401, REQ-7.7-03]

Finding #5

Certificate issuance: SwissSign shall monitor the amount of SHA-1 signed CSRs that are submitted on the FCA platform until the next browser audit and present the results. [ETSI EN 319 411-1, GEN-6.3.3-01]

Finding #6

"Time within which CA Must Process the Revocation Request": SwissSign shall proceed mis-issuance reports only through the mis-issuance mailbox. [BRG 4.9.5]

Finding #7

"Logging, Monitoring, and Alerting": SwissSign shall look into this issue and adopt the system accordingly to have notifications in cases where there are logins in the Online HSMs. [NetSec 3c]

Finding #8

"Subject Jurisdiction of Incorporation or Registration Field": SwissSign shall correct the process and remove LocalityJurisdiction field from the mandatory field by correcting the pre-defined template for that. [EVCG, 9.2.4]
For that Finding we opened a separate Bugzilla. Root Cause Analysis and Action Items can be found there.
Link to the resolved Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1848854

Finding #9

"Subject Business Category Field": SwissSign shall change that to 'Private Organization', as defined also in the EV guidelines. [EVCG, 9.2.3]

Finding #10

"Subject distinguished name fields": SwissSign shall implement a block-list filter for the commonName field. [S/MIME BRG, 7.1.4.2.2]

Finding #11

All certificates: SwissSign shall correct the coding for S/MIME Sponsor-Validated certificates to be ASCII symbols compliant in the email field in the DN and in the SAN field. [SMIME BRG, 7.1.2.4]
For that Finding we opened a separate Bugzilla. Root Cause Analysis and Action Items can be found there.
Link to the resolved Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1914020

Finding #12

All certificates: SwissSign shall issue S/MIME Mailbox-Validated certificate only with permitted KeyUsage. [SMIME BRG, 7.1.2.4]
For that Finding we opened a separate Bugzilla. Root Cause Analysis and Action Items can be found there.
Link to the Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1914023

Finding #13

Review of delegated parties: SwissSign shall perform the current confirmations and set up a process to perform those annually as required. [SMIME BRG, 8.8]

Assignee: nobody → sandy.balzer
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

2024 - Post Audit Incident Reports in Bugzilla
Link to Attestation: https://it-tuv.com/wp-content/uploads/2024/09/AA2024090401_SwissSign_Standard_Audit_V1.0.pdf

Title of the Bugzilla: SwissSign: Findings in 2024 Audit

Summary

SwissSign report this Audit Incident Report for the findings of the 2024 Audit.
After all non-conformities are closed and closure had been verified by our auditor, we publish this full Incident Report.

Finding #1

Access Control: SwissSign shall develop a way to keep the tokens for the PEM device secure and safe [ETSI EN 319 401, REQ-7.4-04A]

Root Cause Analysis

Process description had not been detailed enough for optimal secure handling of tokens for the PEM device.

Action Items

Action Item Kind Due Date
Improvement of the process of handling tokens Prevent 2024-08-06
Introduction of a new type of physical security boxes as supporting measure Mitigate 2024-07-30

Finding #2

Human Resources: SwissSign shall perform the training internally to all relevant employees for the mis-issuance procedure [ETSI EN 319 401, REQ-7.2-02]

Root Cause Analysis

Process was existing but not all relevant employees were trained.

Action Items

Action Item Kind Due Date
Mis-issuance procedure has been revised Prevent 2024-07-16
Training of the relevant employees had been performed and documented Mitigate 2024-09-04

Finding #3

Media handling: SwissSign shall implement a rule in order for customer documents to be deleted after the application has been processed or after a certain period of time. [ETSI EN 319 401, REQ-7.3.2-01]

Root Cause Analysis

No automation was defined for document removal from local machines and instructions for trusted roles were worded in a way, that left room for interpretation.

Action Items

Action Item Kind Due Date
Automation for timely document removal set in place Prevent 2024-07-09
In addition employees in trusted role were re-instructed Prevent 2024-07-09

Finding #4

Operation security: SwissSign shall implement a process that applies dual control in the DSS. [ETSI EN 319 401, REQ-7.7-03]

Root Cause Analysis

The DSS (Digital Signing Service) is an integral part of our CA system. The particular component DSS missed on the UI a dual control as technical protective measure, while the automated change management already had a dual control implemented.

Action Items

Action Item Kind Due Date
Process review of DSS change management Prevent 2024-08-09
Design of technical protective measure for dual control Prevent 2024-08-30
Implementation of protective measure on the UI of the DSS Prevent 2024-09-12

Finding #5

Certificate issuance: SwissSign shall monitor the amount of SHA-1 signed CSRs that are submitted on the FCA platform until the next browser audit and present the results. [ETSI EN 319 411-1, GEN-6.3.3-01]

Root Cause Analysis

There was no overview option in the FCA platform showing, how many CSRs using SHA-1 were submitted. Such CSR are expected to decline to zero in mid-term.

Action Items

Action Item Kind Due Date
Internal Review of SHA-1 signed CSRs for the past Audit period already showed reduction by 50%. Prevent 2024-09-02
Implementation of Monitoring measures for CRSs SHA-1. Mitigate 2024-09-06

Finding #6

"Time within which CA Must Process the Revocation Request": SwissSign shall proceed mis-issuance reports only through the mis-issuance mailbox. [BRG 4.9.5]

Root Cause Analysis

The Analysis showed that the Process wasn't detailed enough to support that.

Action Items

Action Item Kind Due Date
Mis-issuance procedure has been adapted and revised. Prevent 2024-07-16
Training of the relevant employees had been performed and evidenced. Mitigate 2024-09-04

Finding #7

"Logging, Monitoring, and Alerting": SwissSign shall look into this issue and adopt the system accordingly to have notifications in cases where there are logins in the Online HSMs. [NetSec 3c]

Root Cause Analysis

One of the alert settings was found to be configured to not cover this specific case.

Action Items

Action Item Kind Due Date
Configuration was adapted and systems passed Quality tests showing to produce notifications as expected. Prevent 2024-08-29

Finding #8

Subject Jurisdiction of Incorporation or Registration Field: SwissSign shall correct the process and remove LocalityJurstiction field from the mandatory field by correcting the pre-defined template for that. [EVCG, 9.2.4]
For that Finding we opened a separate Bugzilla. Root Cause Analysis and Action Items can be found there.
Link to the Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1848854

Finding #9

"Subject Business Category Field": SwissSign shall change that to 'Private Organization', as defined also in the EV guidelines. [EVCG, 9.2.3]

Root Cause Analysis

In the new Webshop there was a misspelling for Private Organization (Organisation with s). There were no mis-issued certificates based on this error.

Action Items

Action Item Kind Due Date
Correction of the misspelling had been performed. Prevent 2024-07-10

Finding #10

Subject distinguished name fields: SwissSign shall implement a block-list filter for the commonName field. [S/MIME BRG, 7.1.4.2.2]

Root Cause Analysis

Missing block list filter for S/MIME certificates for specific common name/word combinations that would not be natural person names.

Action Items

Action Item Kind Due Date
Implementation on Production of block-list filter for commonName Prevent 2024-09-03

Finding #11

All certificates: SwissSign shall correct the coding for S/MIME Sponsor-Validated certificates to be ASCII symbols compliant in the email field in the DN and in the SAN field. [SMIME BRG, 7.1.2.4]
For that Finding we opened a separate Bugzilla. Root Cause Analysis and Action Items can be found there.
Link to the Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1914020

Finding #12

All certificates: SwissSign shall issue S/MIME Mailbox-Validated certificate only with permitted KeyUsage. [SMIME BRG, 7.1.2.4]
For that Finding we opened a separate Bugzilla. Root Cause Analysis and Action Items can be found there.
Link to the Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1914023

Finding #13

Review of delegated parties: SwissSign shall perform the current confirmations and set up a process to perform those annually as required. [SMIME BRG, 8.8]

Root Cause Analysis

Current confirmation were not collected in time due to mis-interpretation of the timeframe description in the internal process.

Action Items

Action Item Kind Due Date
Process updated for clarification Prevent 2024-08-02
Collection of overdue confirmations scheduled, executed and documented. Mitigate 2024-08-19

Unless there are further questions, we kindly request this Bugzilla to be closed.

I'll close this on Friday, 1-Nov-2024, unless there are additional questions or issues to address.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.