Izenpe: Not allowed Qualifier ID OID on Certificate Policies extension of Precertificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: d-fernandez, Assigned: d-fernandez)
Details
(Whiteboard: [ca-compliance])
This is a preliminary report related to bug 1921254 and 1876565. As Chris Clements has pointed in bug 1921254, there were some certificates
that were not revoked in bug 1876565.
Analyzing them, we see that these are precertificates that were not finally issued.
In bug 1876565 we failed to consider the precertificates and only focused on those which were issued.
This is the list of those precerficates that were not revoked (still alive).
All of them have been revoked today.
|
||
Comment 1•4 months ago
|
||
Hi David,
I'm not sure if the above list should be considered complete.
For example, https://crt.sh/?id=10411995529&opt=pkimetal (serial=1f005a487d316f8b6507f6fb35eff354) does not appear in the above list, or https://bug1876565.bmoattachments.org/attachment.cgi?id=9376477 - but seems to present the same problematic practices as those described in Comment 9 of Bug 1921254.
Can you please describe the approach used to establish the set of affected certificates, and why the above entry was missed (and, if there are any additional entries missing)?
Thanks
Ryan
Incident Report
Summary
In Bug 1876565 we revoked all the certificates issued since 2023/09/15 to 2024/01/25 as they had been missued because they were including a qualifier ID on Certificate Policies extension.
In BUG 1921254, Ben Wilson pointed that some certificates from [Bug 1876565] were not still revoked. After identifying them, we revoked then, but there were some certificates that had not been revoked yet.
All the certificates that had not been included in the list of Bug 1876565 had in common that none of then were finally issued,
they were submitted to some of the CT logs but, due to a problem (misconfigured CT server, network issues, delay on receiving the answer) they were not finally issued.
As the precertificates must be considered a binding commitment by the CA as stated in CABFORUM (7.1.2.9), this a violation of the BRs and they must had been revoked when the Bug 1876565 was opened.
Impact
There has not been any impact as these certificates have never been delivered to clients.
Timeline
2024-01-25: - Bug 1876565 opened. Published the list of certificates affected by this issue.
2024-01-30: - All certificates of Bug 1876565 were revoked.
2024-10-03: - In BUG 1921254 it was pointed that some certificates, regarding Bug 1876565 were still alive and had not been revoked.
2024-10-04: - 14:16 - We found out that all the certificates that had not been revoked, were precertificates that had not been issued. We gathered the list of precertificates affected that were still alive, and revoked then.
2024-10-07: - 11:18 - In the previous list, we made a mistake, and considered only certificates issued in the last 12 months, and not 13 months as we issue them. Two more certificates came up in this review and have been updated in the list and revoked today.
Root Cause Analysis
After any certificate issuance, an internal task copies that certificate from the database to a server to be postlinted. The result of this lint is sent to an email group.
When there is a problema related to Certificate Transparency Logs (when not enoughs SCTs are gathered for whatever reason), the certificate is not issued and is not included in the published certificates table...so they are not copied to the postlint server.
So, when we have had to perform any research after a problema has been detected or re-linted the certificates, we have worked with the server were the certificates are dumped after issuance and missed those that were not issued.
Lessons Learned
What went well
The certificates were not issued and they did not cause any disruption to clients.
What didn't go well
We did not consider the precertificates in our postlinting tool and we were not copying them to the server where the postlinting jobs are executed.
Where we got lucky
There were not too many certificates.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Move automatically precertificates to the postlinting server | Prevent | 2024-10-21 |
Appendix
Details of affected certificates
| Issued | CRT.SH link |
|---|---|
| 2023/09/18 09:06 | https://crt.sh/?serial=1F005A487D316F8B6507F6FB35EFF354 |
| 2023/09/18 09:06 | https://crt.sh/?serial=2CD36AD5C06534EA6507F74B191FAE1B |
|
||
Updated•4 months ago
|
Hi,
we have successfully create a task that moves precertificates that have not been issued to our postlint server.
Thus, we will be notified by email if there is any problem with the precert and in case of a further revocation process, this precertificates will also be considered.
Regards,
Description
•