Closed Bug 1952635 Opened 1 year ago Closed 8 months ago

Entrust: Missing or Inconsistent Disclosure of S/MIME BR Audits

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bruce.morton, Assigned: bruce.morton)

Details

(Whiteboard: [ca-compliance] [audit-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36

Preliminary Incident Report

Summary

On 2025-03-05 (21:06 UTC), Entrust received notice https://groups.google.com/a/ccadb.org/g/public/c/SjXke0qoZ8A/m/asTTB1b0AAAJ that there are Entrust roots which are trusted for S/MIME, which were not included in our posted S/MIME BR audit report.
Entrust is aware of the inconsistency of this S/MIME BR audit report and the root program policies and provides the following status:

Impact

The Root CAs missing from the audit report have not issued any Subordinate CA certificates which support S/MIME certificates, and no S/MIME certificates have been issued validating to these roots.

There are no mis-issued certificates.

Next steps

The Entrust annual compliance WebTrust audit for the period ending 28 February 2025 is currently ongoing. Missing roots will be added to the S/MIME BR audit report, which will be posted by 31 May 2025.

A full incident report including the root cause analysis, lessons learned, and action items will be posted per the CCADB full incident report requirement.

Assignee: nobody → bruce.morton
Type: defect → task
Whiteboard: [ca-compliance] [audit-failure]
Status: NEW → ASSIGNED

Incident Report

Summary

On 2025-03-05 (21:06 UTC), Entrust received notice via https://groups.google.com/a/ccadb.org/g/public/c/SjXke0qoZ8A/m/asTTB1b0AAAJ that there are Entrust roots which are trusted for S/MIME which were not included in our posted S/MIME BR audit report.
Entrust is aware of the inconsistency of this S/MIME BR audit report and the root program policies, and provides the following status:

Impact

The root CAs missing from the audit report have not issued any subordinate CA certificates which support S/MIME certificates, and no S/MIME certificates have been issued validating to these roots.

The root CAs were subject to audit criteria relevant to key generation, key lifecycle management, and key protection.

There are no mis-issued certificates.

Timeline

All times are UTC.

2023-09-15:

  • S/MIME BRs became effective.

2024-02-28:

  • Last day of most-recent Entrust S/MIME CA audit period.

2024-03-27

  • 17:23 UTC: CCADB case created to test draft WebTrust audit reports, which includes the WebTrust for S/MIME audit report. Subsequently, the draft reports were uploaded; no error was observed regarding the S/MIME BR audit report.

2024-05-28

  • 19:40 UTC: CCADB case created to upload WebTrust audit reports. ALV for S/MIME audit report stated: PDFLetterDownloaded=Pass; PDFFormat=Text; AllThumbprintsListed=Pass; Auditor=Pass; CAOwner=Pass; AuditLocation=Pass; DateVerified=Pass; AuditPeriodStart=Pass; AuditPeriodEnd=Pass; StatementDate=Pass;

Note, since the error occurs with non-listed thumbprints, it might not be a valid test to detect missing CA certificates.

2025-02-26

  • 19:00 UTC: Reviewed CCADB with Deloitte and discussed the criteria for inclusion of roots in the S/MIME BR audit and the coverage issue from the last audit was identified. It was agreed that this would be addressed in the current WebTrust for S/MIME audit report which will be provided in May 2025 .

2025-03-05

Root Cause Analysis

The root CAs were considered out of scope for the S/MIME audit, since they did not issue any S/MIME CA certificates, and no S/MIME subscriber certificates were issued that validated back to these roots. However, the audit requirement is also based on the trust permitted by the root embedding programs. So, although the Root CAs did not support issued S/MIME certificates, they were S/MIME trusted by some or all browsers and operating systems.

After review of the CCADB page for each root, it was established that S/MIME was trusted by Apple, Google, Microsoft, and/or Mozilla .

Similar trust is also summarized on the crt.sh page for each specific root. See:

The Root CAs were not audited for S/MIME, since they were considered out of scope. Please note, the roots were audited under WebTrust for CA, NetSec, TLS BR and EV Guidelines.

Conclusion

The Entrust compliance procedure did not stipulate to review the trust permitted by the browsers and the operating systems to establish the audit criteria . As such, the scope of the roots was not properly established, and these roots were omitted from the S/MIME audit report.

Lessons Learned

What went well

  • No certificates were mis-issued.
  • The Roots CAs were subject to audit criteria relevant to key generation, key lifecycle management, and key protection.

What didn't go well

  • Entrust compliance procedure did not include confirming trust permitted from the browsers and operating systems to establish the required audits.
  • S/MIME audit scope did not address all roots.
  • Incomplete S/MIME audit reports were provided and posted in CCADB and in the Entrust repository.

Where we got lucky

  • Roots were audited to other requirements, which have similar audit scope as the S/MIME BRs .

Action Items

Action Item Kind Due Date
Conduct S/MIME audit, properly including all roots in scope, and post audit report to CCADB Detect 30 May 2025
Review CCADB to ensure the correct scope is being addressed for all Entrust roots Prevent Completed
Update compliance procedure to ensure the trust permitted by the browsers and operating systems is part of the determination of the scope of audits for roots Prevent Completed

We will continue to monitor this bug and reply when required.

Thanks, Bruce.

Reposting as the previous post in not in the correct format.

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A011701

  • Incident description:

  • Timeline summary:

    • Non-compliance start date: 2024-05-30, when the S/MIME BR audit report was posted
    • Non-compliance identified date: 2025-03-05
    • Non-compliance end date: 2025-05-30, when the next S/MIME BR audit report is posted

  • Relevant policies: Per Mozilla, Apple, and Microsoft root program policies, all CA Owners with one or more Root or Intermediate CAs trusted for the issuance of S/MIME certificates must disclose the audit details on each applicable CCADB record.

  • Source of incident disclosure: Third Party Reported via CCADB public discussion.

Impact

  • Total number of certificates: 0
  • Total number of "remaining valid" certificates: 0
  • Affected certificate types: N/A
  • Incident heuristic: No certificates were impacted.
  • Was issuance stopped in response to this incident, and why or why not?: There were no miss-issued certificates, so issuance was not stopped.
  • Analysis: N/A
  • Additional considerations: N/A

Timeline

All times are UTC.

2023-09-15:

  • S/MIME BRs became effective.

2024-02-28:

  • Last day of most-recent Entrust S/MIME CA audit period.

2024-03-27

  • 17:23 UTC: CCADB case created to test draft WebTrust audit reports, which includes the WebTrust for S/MIME audit report. Subsequently, the draft reports were uploaded; no error was observed regarding the S/MIME BR audit report.

2024-05-28

  • 19:40 UTC: CCADB case created to upload WebTrust audit reports. ALV for S/MIME audit report stated: PDFLetterDownloaded=Pass; PDFFormat=Text; AllThumbprintsListed=Pass; Auditor=Pass; CAOwner=Pass; AuditLocation=Pass; DateVerified=Pass; AuditPeriodStart=Pass; AuditPeriodEnd=Pass; StatementDate=Pass;

Note, since the error occurs with non-listed thumbprints, it might not be a valid test to detect missing CA certificates.

2025-02-26

  • 19:00 UTC: Reviewed CCADB with Deloitte and discussed the criteria for inclusion of roots in the S/MIME BR audit and the coverage issue from the last audit was identified. It was agreed that this would be addressed in the current WebTrust for S/MIME audit report which will be provided in May 2025.

2025-03-05

Related Incidents

Bug Date Description
[Related Bug ID](Related Bug URL) Date Related Bug was opened A description of how the subject Bug is related to the Bug referenced.
#1952639 2025-03-08 Missing or Inconsistent Disclosure of S/MIME BR Audits
#1952519 2025-03-07 Inconsistent Disclosure of S/MIME BR Audit Information in CCADB

Root Cause Analysis

  • Contributing Factor #1: Process Incomplete
  • Description:
    • The root CAs were considered out of scope for the S/MIME audit, since they did not issue any S/MIME CA certificates, and no S/MIME subscriber certificates were issued that validated back to these roots. However, the audit requirement is also based on the trust permitted by the root embedding programs. So, although the Root CAs did not support issued S/MIME certificates, they were S/MIME trusted by some or all browsers and operating systems.
    • After review of the CCADB page for each root, it was established that S/MIME was trusted by Apple, Google, Microsoft, and/or Mozilla.
    • Similar trust is also summarized on the crt.sh page for each specific root. See:
      https://crt.sh/?caid=5890
      https://crt.sh/?caid=96595
      https://crt.sh/?caid=1224
      https://crt.sh/?caid=198
      https://crt.sh/?caid=1127
      https://crt.sh/?caid=1392
    • The Root CAs were not audited for S/MIME, since they were considered out of scope. Please note, the roots were audited under WebTrust for CA, NetSec, TLS BR and EV Guidelines.
    • The Entrust compliance procedure did not stipulate to review the trust permitted by the browsers and the operating systems to establish the audit criteria. As such, the scope of the roots was not properly established, and these roots were omitted from the S/MIME audit report.
  • Timeline: The process was always out of date, since it never stipulated to review the trust permitted by the browsers and the operating systems to establish the audit criteria.
  • Detection: A third party detected by tracking to https://crt.sh/mozilla-disclosures to flag missing and inconsistent disclosures of S/MIME BR audits.
  • Interaction with other factors: It is possible that other CAs were not audited based on the trust permitted by the browsers and the operating systems. His was reviewed and there were no issues.
  • Root Cause Analysis methodology used:

Lessons Learned

What went well

  • No certificates were mis-issued.
  • The Roots CAs were subject to audit criteria relevant to key generation, key lifecycle management, and key protection.

What didn't go well

  • Entrust compliance procedure did not include confirming trust permitted from the browsers and operating systems to establish the required audits.
  • S/MIME audit scope did not address all roots.
  • Incomplete S/MIME audit reports were provided and posted in CCADB and in the Entrust repository.

Where we got lucky

  • A third party detected the error.
  • Roots were audited to other requirements, which have similar audit scope as the S/MIME BRs.

Action Items

Action Item Kind Due Date
Conduct S/MIME audit, properly including all roots in scope, and post audit report to CCADB Detect 30 May 2025
Review CCADB to ensure the correct scope is being addressed for all Entrust roots Prevent Completed
Update compliance procedure to ensure the trust permitted by the browsers and operating systems is part of the determination of the scope of audits for roots Prevent Completed
Whiteboard: [ca-compliance] [audit-failure] → [ca-compliance] [audit-failure] Next update 2025-06-02

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Conduct S/MIME audit, properly including all roots in scope, and post audit report to CCADB Detect Root Cause # 1 S/MIME BR audit successfully completed for the CAs and has been posted to CCADB 2025-05-30 Done
Review CCADB to ensure the correct scope is being addressed for all Entrust roots Prevent Root Cause # 1 Audit reports have been posted based on trust indicated in CCADB. 2025-03-31 Done
Update compliance procedure to ensure the trust permitted by the browsers and operating systems is part of the determination of the scope of audits for roots Prevent Root Cause # 1 Compliance procedure has been updated. 2025-03-31 Done

Report Closure Summary

  • Incident description: Some Entrust roots which are trusted for S/MIME by an Application Software Vendor were not included in our posted S/MIME BR audit report.
  • Incident Root Cause(s): The audit process did not include reviewing CCADB to see which roots were trusted for TLS, S/MIME, and Code Signing.
  • Remediation description: CCADB was reviewed for all Entrust roots; and the compliance process was updated to ensure new roots are also reviewed.
  • Commitment summary: Entrust will continue to improve its processes to provide transparency to the PKI community.

All Action Items disclosed in this report have been completed as described, and we request its closure.

Flags: needinfo?(incident-reporting)

We will continue to monitor this incident.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2025-06-17.

Whiteboard: [ca-compliance] [audit-failure] Next update 2025-06-02 → [close on 2025-06-17] [ca-compliance] [audit-failure]

We are reviewing an error in the WebTrust S/MIME BR audit report. Will post an update next week.

Currently working with the audit team to ensure the correct SHA-256 CA fingerprints are included in the S/MIME BR audit report.

Can Entrust please clarify the timeframe applicable to completion of this task?

Flags: needinfo?(bruce.morton)

Our auditor is currently reviewing the audit reports, it will need QA, approval, reposting by WebTrust, and CCADB updates by Entrust. We plan to have this completed by 18 July 2025, which will cover if there are any issues and some PTO with Canada Day and 4th July coming up.

Flags: needinfo?(bruce.morton)
Flags: needinfo?(incident-reporting)
Whiteboard: [close on 2025-06-17] [ca-compliance] [audit-failure] → [ca-compliance] [audit-failure] Next update 2025-07-21

The updated WebTrust S/MIME BR audit report has been from the auditor, along with 4 other updated audit reports. A new case has been created to re-submit all audit reports. We believe the updated reports will address disclosing all CAs audited to meet the S/MIME BRs.

CCADB case 00002541 for updating the WebTrust audit reports has been closed. The CCADB errors for the missing WebTrust S/MIME audit reports has been removed for all CAs. Per comment #5, we request this bug be closed.

Flags: needinfo?(incident-reporting)
Whiteboard: [ca-compliance] [audit-failure] Next update 2025-07-21 → [ca-compliance] [audit-failure]

This is a final call for comments or questions on this Incident Report.

Otherwise, this bug will be closed on approximately 2025-08-08.

Flags: needinfo?(incident-reporting)
Whiteboard: [ca-compliance] [audit-failure] → [close on 2025-08-08] [ca-compliance] [audit-failure]
Flags: needinfo?(incident-reporting)
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2025-08-08] [ca-compliance] [audit-failure] → [ca-compliance] [audit-failure]
You need to log in before you can comment on or make changes to this bug.