Open Bug 1921598 Opened 4 months ago Updated 4 months ago

KIR: Intermediate CA - SZAFIR Trusted CA3 - Certificate Policies extension - non-compliance

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: piotr.grabowski, Assigned: piotr.grabowski)

Details

(Whiteboard: [ca-compliance] [ca-misissuance])

Incident Report

Summary

An incident occurred where 1 intermediate certificate was incorrectly issued.
Certificate Policies extension in SZAFIR Trusted CA3 Intermediate CA were missing Reserved Certificate Policy Identifiers that indicate adherence and compliance with S/MIME BR .
We were first notified by an email message from Rob Stradling posted to kontakt at kir.pl.

Impact

1 Intermediate CA certificates issued on Oct 11, 2023 – 10:49 UTC.

https://crt.sh/?caid=278655

Due to the fact that given Intermediate CA is operational and issued almost 10K end user (EE) certificates (smime and mainly client authentication) which are used in critical infrastructure and cannot be safely replaced. The impacted certificate has not yet been revoked. We are developing a plan to safely switch issuance to the new intermediate CA certificate and retire or revoke Szafir Trusted CA3 intermediate CA certificate. We will post the migration plan until Oct 11, 2025.

Timeline

Sep 25, 2024 – 11:33 UTC – Rob Stradling posts an email message to kontakt at kir.pl.
Sep 26, 2024 – 09:52 UTC – We began a preliminary investigation.
Sep 26, 2024 – 11:11 UTC – Piotr Grabowski from KIR WebPKI team responds to Rob’s message that KIR already started analyzing the issue.
Sep 26, 2024 – 12:44 UTC – Rob Stradling posts an email message to Piotr Grabowski from KIR WebPKI team with thanks to acknowledging.
Sep 27, 2024 – 06:30 UTC – Intermediate CA certificate profile was updated to be compliant with S/MIME BR.

Root Cause Analysis

Unlike EE certificates, which are automatically verified, our process for issuing intermediate CA certificates involves several manual steps and it based on dedicated procedure for CA generation. During the CA certificate generation on October 11, 2023 the updated procedure for CA generation contained an incorrect value in the Certiifcation Policy field. The operator during the generation ceremony performed actions according to the procedure and used the wrong value from the procedure.

Lessons Learned

What went well

What didn't go well

The updated procedure for CA generation contained an incorrect value in the Certiifcation Policy field.

Where we got lucky

Action Items

Action Item Kind Due Date
Updated our procedures for the generation of CA certificates to include all possible extensions and DN values prevent Sep 27, 2024 (completed)
We have included an additional check by the dedicated person from compliance department to validate the procedure before the use to generate a certificate prevent Sep 27, 2024 (completed)
Reviewed all certificate profiles on our CA system prevent Sep 27, 2024 (completed)
Implement automatic linter for intermediate CA certificates checks prevent/detect Oct 4, 2024 (TODO)
Migration plan and revocation date of impacted certificate mitigate Oct 11, 2024 (TODO)

Based on Incident Reporting Template v. 2.0

We are developing a plan to safely switch issuance to the new intermediate CA certificate and retire or revoke Szafir Trusted CA3 intermediate CA certificate. We will post the migration plan until Oct 11, 2025.

Piotr, please note that SBR section 4.9.1.2 says:
"The Issuing CA SHALL revoke a Subordinate CA Certificate within seven (7) days if one or more of
the following occurs:
...
5. The Issuing CA is made aware that the Certificate was not issued in accordance with or that
Subordinate CA has not complied with this document or the applicable CP and/or CPS;"

The incident described in this bug outlines how the Szafir Trusted CA3 intermediate certificate was "not issued in accordance with...this document". Be aware that failing to revoke the Szafir Trusted CA3 intermediate certificate within 7 days will cause another incident.

Assignee: nobody → piotr.grabowski
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [ca-misissuance]

Rob, we are fully aware of the requirement to revoke a Subordinate CA Certificate within seven (7) but due to the situation described in the Impact part of the incident report we will file a new incident for delayed revocation at the right time.

Action Item - Implement automatic linter for intermediate CA certificates checks has been completed

All action items have been completed.
We have no further updates here.

You need to log in before you can comment on or make changes to this bug.