Open Bug 1956681 Opened 1 month ago Updated 8 hours ago

Entrust: Cross-certified CA CP/CPS not updated in CCADB

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: bruce.morton, Assigned: bruce.morton, NeedInfo)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

Preliminary Incident Report

Summary

On 2025-03-25 (00:46 UTC), Entrust received notice from Sectigo which stated:

"crt.sh is flagging an inconsistent CPS issue for SSL.com at https://crt.sh/mozilla-disclosures#disclosedwithinconsistentcps. This is actually an Entrust incident as Entrust has cross certified SSL.com but didn't update the corresponding CCADB record when SSL.com last updated its CP/CPS. This is identical to a bug Sectigo recently opened against ourselves after SSL.com failed to notify us of CP/CPS updates."

"In this case, SSL.com marked its previous CP/CPS version as Superseded in CCADB, and that detail propagated to the CCADB record under Entrust's control. Consequently, that CCADB record now only has Superseded CP/CPS info associated with it. This record is at https://ccadb.my.site.com/s/account/001TO00000HU8cgYAD/sslcom-tls-rsa-root-ca-2022."

This is considered an incident with the Chrome Root Program Policy which states:

The Chrome Root Program considers CA policy documentation disclosed to the CCADB to be authoritative. Before corresponding policy changes are put into practice, Chrome Root Program Participants:

  • MUST minimally ensure the updated versions of a CA's policy document(s) are uploaded to their own publicly accessible repository, and
  • SHOULD ensure the updated versions of a CA's policy document(s) are submitted to the CCADB within 7 calendar days of the policy document's effective date, but MUST do so within 14 calendar days.

The CP/CPS information was not updated within the required 14 calendar days.

Entrust updated CCADB on 2025-03-25 approximately 14:30 UTC.

Impact

Minimal impact to Subscribers and Relying parties viewing the correct CP/CPS as SSL.com published to their update to their website, and updated CCADB.

There are no mis-issued certificates.

Next steps

A full incident report including the root cause analysis, lessons learned, and action items will be posted per the CCADB full incident report requirement.

Assignee: nobody → bruce.morton
Status: NEW → ASSIGNED
Type: defect → task
Whiteboard: [ca-compliance] [disclosure-failure]

Reposting as the previous post in not in the correct format.

Preliminary Incident Report

Summary

  • Incident description:

On 2025-03-25 (00:46 UTC), Entrust received notice from Sectigo which stated:

crt.sh is flagging an inconsistent CPS issue for SSL.com at https://crt.sh/mozilla-disclosures#disclosedwithinconsistentcps. This is actually an Entrust incident as Entrust has cross certified SSL.com but didn't update the corresponding CCADB record when SSL.com last updated its CP/CPS. This is identical to a bug Sectigo recently opened against ourselves after SSL.com failed to notify us of CP/CPS updates.

In this case, SSL.com marked its previous CP/CPS version as Superseded in CCADB, and that detail propagated to the CCADB record under Entrust's control. Consequently, that CCADB record now only has Superseded CP/CPS info associated with it. This record is at https://ccadb.my.site.com/s/account/001TO00000HU8cgYAD/sslcom-tls-rsa-root-ca-2022.

This is considered an incident with the Chrome Root Program Policy which states:

The Chrome Root Program considers CA policy documentation disclosed to the CCADB to be authoritative. Before corresponding policy changes are put into practice, Chrome Root Program Participants:

  • MUST minimally ensure the updated versions of a CA's policy document(s) are uploaded to their own publicly accessible repository, and
  • SHOULD ensure the updated versions of a CA's policy document(s) are submitted to the CCADB within 7 calendar days of the policy document's effective date, but MUST do so within 14 calendar days.

The CP/CPS information was not updated within the required 14 calendar days.

Entrust updated CCADB on 2025-03-25 approximately 14:30 UTC.

  • Relevant policies: Chrome Root Program Policy, Version 1.6, Section 2.3 Policy Disclosures requires updated versions of a CA's policy document(s) are submitted to the CCADB within 7 calendar days of the policy document's effective date, but MUST do so within 14 calendar days.
  • Source of incident disclosure: We became aware of this issue on 2025-03-25 (00:46 UTC), when a member of Sectigo’s team advised that the CP/CPS was out of sync in CCADB.

We are currently drafting the Final Incident Report.

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A011701
  • Incident description:
    • On 2025-03-25 (00:46 UTC), Entrust received notice from Sectigo which stated:

    “crt.sh is flagging an inconsistent CPS issue for SSL.com at https://crt.sh/mozilla-disclosures#disclosedwithinconsistentcps. This is actually an Entrust incident as Entrust has cross certified SSL.com but didn't update the corresponding CCADB record when SSL.com last updated its CP/CPS. This is identical to a bug Sectigo recently opened against ourselves after SSL.com failed to notify us of CP/CPS updates.”
    “In this case, SSL.com marked its previous CP/CPS version as Superseded in CCADB, and that detail propagated to the CCADB record under Entrust's control. Consequently, that CCADB record now only has Superseded CP/CPS info associated with it. This record is at https://ccadb.my.site.com/s/account/001TO00000HU8cgYAD/sslcom-tls-rsa-root-ca-2022.”

    • This is considered an incident with the Chrome Root Program Policy Section 2.3 which states:

    The Chrome Root Program considers CA policy documentation disclosed to the CCADB to be authoritative. Before corresponding policy changes are put into practice, Chrome Root Program Participants:

    • MUST minimally ensure the updated versions of a CA's policy document(s) are uploaded to their own publicly accessible repository, and
    • SHOULD ensure the updated versions of a CA's policy document(s) are submitted to the CCADB within 7 calendar days of the policy document's effective date, but MUST do so within 14 calendar days.
    • The CP/CPS information was not updated within the required 14 calendar days.
  • Timeline summary:
    • Non-compliance start date: 2025-03-18
    • Non-compliance identified date: 2025-03-25
    • Non-compliance end date: 2025-03-25
  • Relevant policies: Chrome Root Program Policy, Version 1.6, Section 2.3 Policy Disclosures
  • Source of incident disclosure: Third Party Reported

Impact

  • Total number of certificates: 0
  • Total number of "remaining valid" certificates: 0
  • Affected certificate types: N/A
  • Incident heuristic: No certificates were impacted.
  • Was issuance stopped in response to this incident, and why or why not?: There were no mis-issued certificates, so issuance was not stopped.
  • Analysis: N/A
  • Additional considerations: N/A

Timeline

All times are UTC.

2024-10-16:

  • Entrust issued cross-certificate to SSL.com as part of the Registration Authority agreement. Entrust uploaded the certificate to CCADB and referred to in CP/CPS information.

2025-03-04:

  • SSL.com published CP/CPS v1.23.

2025-03-25:

  • 00:46: Sectigo notified Entrust the CP/CPS information for the CA certificate was not up to date.
  • 14:30: Entrust updated the CP/CPS information.

Related Incidents

Bug Date Description
[Related Bug ID](Related Bug URL) Date Related Bug was opened A description of how the subject Bug is related to the Bug referenced.
#1942651 2025-01-20 Late disclosure of updated CP/CPS to CCADB
#1945536 2025-02-03 Outdated CPS for 13 Roots in CCADB
#1946418 2025-02-06 Self-assessment upload to CCADB was 21 days late
#1948600 2025-02-17 New CPS was not uploaded to CCADB within 14 days

Root Cause Analysis

Contributing Factor #1: Communications

  • Description: Entrust and SSL.com did not continue to have ongoing compliance communications, after the WebTrust for RA point-in-time audit was complete. Continual meetings would have ensured both parties would know of a significant changes impacting policy. We also did not update the process to ensure the owner (i.e., issuer) of the cross-certificate was advised when information such as the CP/CPS was updated.
  • Timeline: At the latest the process should have been updated by 2024-10-16, when the cross-certificate was issued.
  • Detection: A third party detected that the CP/CPS was out of date in CCADB. This was done by examining the data at https://crt.sh/mozilla-disclosures#disclosedwithinconsistentcps. CCADB errors are found at the CCADB home page, but CCADB does not provide an error when the CP/CPS is out of date or when a CA certificate is associated to a superseded CP/CPS.
  • Interaction with other factors: The CCADB CP/CPS out of sync error could also apply to a CCADB self-assessment out of sync error, since the certificate owner also has to update this field.
  • Root Cause Analysis methodology used:

Lessons Learned

What went well

  • No certificates were mis-issued.
  • Subscribers and Relying parties could view the correct CP/CPS from the SSL.com repository.
  • The information was updated on the day of detection.

What didn't go well

  • CCADB was out of date for a cross-certificate, since there was no process put in place to provide information when CA information is updated.

Where we got lucky

  • A third party detected and quickly reported the error.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Setup a standing monthly call with SSL.com Prevent Root Cause # 1 Standing monthly call will help both parties understand what is in the pipeline, which may provide up front notice of a CA change in the future. 2025-03-31 Done
Work with SSL.com to create a procedure to advise Entrust when relevant CA information is updated Prevent Root Cause # 1 Advising of a CA information change in a process driven way will help ensure updates are made on a timely basis. 2025-03-31 Done

Report Closure Summary

  • Incident description: Cross-certified root CA CP/CPS not updated in CCADB, after the CP/CPS was updated by the operator of the root CA.
  • Incident Root Cause(s): The two CA companies did not ensure the compliance teams were up to date on the technical changes the operation teams were putting in place. This also meant that the communication between CAs was no effective when changes were implemented.
  • Remediation description: Standing monthly call implemented to help both parties understand what is in the pipeline, which may provide up front notice of a CA change in the future. Procedure has been updated to advise the cross-certificate CA information changes in a process driven way, which will help ensure updates are made on a timely basis.
  • Commitment summary: Entrust will continue to improve communications with all parties in the TLS ecosystem to help ensure smooth operations and protect the relying parties.

All Action Items disclosed in this report have been completed as described, and we request its closure.

Continuing to monitor this bug. All items are completed. We request bug closure.

Flags: needinfo?(chrome-root-program)

We are continuing to monitor this bug. All items are completed. We request bug closure.

You need to log in before you can comment on or make changes to this bug.