Open Bug 1921598 Opened 14 hours ago

KIR: Intermediate CA - SZAFIR Trusted CA3 - Certificate Policies extension - non-compliance

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: piotr.grabowski, Unassigned)

Details

Incident Report

Summary

An incident occurred where 1 intermediate certificate was incorrectly issued.
Certificate Policies extension in SZAFIR Trusted CA3 Intermediate CA were missing Reserved Certificate Policy Identifiers that indicate adherence and compliance with S/MIME BR .
We were first notified by an email message from Rob Stradling posted to kontakt at kir.pl.

Impact

1 Intermediate CA certificates issued on Oct 11, 2023 – 10:49 UTC.

https://crt.sh/?caid=278655

Due to the fact that given Intermediate CA is operational and issued almost 10K end user (EE) certificates (smime and mainly client authentication) which are used in critical infrastructure and cannot be safely replaced. The impacted certificate has not yet been revoked. We are developing a plan to safely switch issuance to the new intermediate CA certificate and retire or revoke Szafir Trusted CA3 intermediate CA certificate. We will post the migration plan until Oct 11, 2025.

Timeline

Sep 25, 2024 – 11:33 UTC – Rob Stradling posts an email message to kontakt at kir.pl.
Sep 26, 2024 – 09:52 UTC – We began a preliminary investigation.
Sep 26, 2024 – 11:11 UTC – Piotr Grabowski from KIR WebPKI team responds to Rob’s message that KIR already started analyzing the issue.
Sep 26, 2024 – 12:44 UTC – Rob Stradling posts an email message to Piotr Grabowski from KIR WebPKI team with thanks to acknowledging.
Sep 27, 2024 – 06:30 UTC – Intermediate CA certificate profile was updated to be compliant with S/MIME BR.

Root Cause Analysis

Unlike EE certificates, which are automatically verified, our process for issuing intermediate CA certificates involves several manual steps and it based on dedicated procedure for CA generation. During the CA certificate generation on October 11, 2023 the updated procedure for CA generation contained an incorrect value in the Certiifcation Policy field. The operator during the generation ceremony performed actions according to the procedure and used the wrong value from the procedure.

Lessons Learned

What went well

What didn't go well

The updated procedure for CA generation contained an incorrect value in the Certiifcation Policy field.

Where we got lucky

Action Items

Action Item Kind Due Date
Updated our procedures for the generation of CA certificates to include all possible extensions and DN values prevent Sep 27, 2024 (completed)
We have included an additional check by the dedicated person from compliance department to validate the procedure before the use to generate a certificate prevent Sep 27, 2024 (completed)
Reviewed all certificate profiles on our CA system prevent Sep 27, 2024 (completed)
Implement automatic linter for intermediate CA certificates checks prevent/detect Oct 4, 2024 (TODO)
Migration plan and revocation date of impacted certificate mitigate Oct 11, 2024 (TODO)

Based on Incident Reporting Template v. 2.0

You need to log in before you can comment on or make changes to this bug.