Closed Bug 1970567 Opened 10 months ago Closed 9 months ago

ANF AC: Finding #4 ETSI Audit - Missing one Revocation circumstance on CPS

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: yulier.nunez, Assigned: yulier.nunez)

Details

(Whiteboard: [ca-compliance] [audit-finding])

NC4. 6.3.9 Certificate revocation and suspension Revocation circumstances actions explanation shall be improved. It needs the addition of the following circumstance: “the used cryptography is no longer ensuring the binding between the subject and the public key” [REV-6.3.9-02]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000269
  • Incident description: During the review of the revocation policy (section 4.9.1 of the Certification Policies and Practices document v3.9 - OID 1.3.6.1.4.1.18332.1.9.1.1), it was detected that the published version was missing the clause that required revoking a certificate when the cryptography used no longer guaranteed the binding between the subject and its public key. ANF AC’s compliance team considered that this requirement was already covered by section 4.9.1 “Revocation Circumstances” as well as by clause 5.7.3 “Procedures for CA private key or cryptographic suite compromise.” However, external auditors determined that it must appear explicitly in accordance with ETSI EN 319 401 requirements.
  • Timeline summary:
    • Non-compliance start date: 2025-01-15 (publication of version 3.9 of the document)
    • Non-compliance identified date: 2025-02-14
    • Non-compliance end date: 2025-02-20 (publication of corrected version 3.10 of the CP&C)
  • Relevant policies:
    • Certification Practices Statement – OID 1.3.6.1.4.1.18332.1.9.1.1
    • ETSI EN 319 401
  • Source of incident disclosure: Detected by external auditor during the annual conformity assessment audit (ETSI EN 319 401)

Impact

  • Total number of certificates: 0
  • Total number of "remaining valid" certificates: 0
  • Affected certificate types: N/A (documentation-only issue, not issuance-related)
  • Incident heuristic: Procedural/documentation non-compliance
  • Was issuance stopped in response to this incident, and why or why not?: No. It was solely a wording issue; no issuance flow was halted, nor did it affect the validity of existing certificates.
  • Analysis: In version 3.9 of the Certification Policies and Practices document (OID 1.3.6.1.4.1.18332.1.9.1.1), ANF AC’s compliance team believed that the scenario of revoking a certificate when the cryptography used no longer guaranteed the binding between the subject and its public key was already covered both in section 4.9.1 “Revocation Circumstances” and in section 5.7.3, which establishes a “Continuity and Recovery Plan” for situations where advances in techniques could jeopardize the security of algorithms or key sizes. Due to that dual assumption (implicit in sections 4.9.1 and 5.7.3), the explicit clause was omitted from section 6.3.9. External auditors concluded that this generic phrasing was insufficient to meet the ETSI EN 319 401 requirement of having an explicit revocation criterion for cryptographic obsolescence.
  • Additional considerations:
    • Although the technical capability to revoke certificates for cryptographic weaknesses is covered in section 5.7.3, the ETSI auditor requires section 6.3.9 to explicitly list the circumstance as a revocation reason.
    • The ambiguity over whether the “cryptographic obsolescence” point was implicitly covered could have caused confusion in future external reviews or in software implementations handling automated revocations.
    • There was no operational or security impact during the omission period, but the lack of clarity in revocation policies could delay revocation decisions in the face of cryptographic vulnerabilities.

Timeline

Date Event
2025-01-15 Publication of version 3.9 of the Certification Policies and Practices document (OID 1.3.6.1.4.1.18332.1.9.1.1) (without the explicit clause requiring revocation of a certificate when the cryptography used no longer guarantees the binding between the subject and its public key)
2025-02-14 Omission (NC) detected by external auditors during the annual conformity assessment audit (ETSI EN 319 401)
2025-02-15 Root Cause Analysis begins; it is confirmed that the root cause was the assumption of implicit coverage (including clause 5.7.3)
2025-02-20 Publication of version 3.10 of the Certification Policies and Practices document (OID 1.3.6.1.4.1.18332.1.9.1.1) on ANF AC’s website, explicitly adding revocation for cryptographic obsolescence in clause 2.f), section 4.9.1 “Revocation Circumstances”

Related Incidents

N/A – No related incidents.

Root Cause Analysis

Contributing Factor #1: Implicit assumption in existing wording (sections 4.9.1 and 5.7.3)

  • Description: In version 3.9 of the Certification Policies and Practices document (OID 1.3.6.1.4.1.18332.1.9.1.1), it was assumed that the revocation reasons listed in section 4.9.1 already covered the circumstance of revocation when the cryptography used no longer guaranteed the binding between the subject and its public key. In addition, section 5.7.3 described how the CA would act if advances in techniques put algorithms or key sizes at risk. This dual assumption (implicit in 4.9.1 and 5.7.3) led to omitting the explicit clause in section 4.9.1.
  • Timeline:
    • 2025-01-15: Publication of version 3.9 of the Certification Policies and Practices document (OID 1.3.6.1.4.1.18332.1.9.1.1) without the explicit clause requiring revocation of a certificate when the cryptography used no longer guarantees the binding between the subject and its public key.
    • 2025-02-14: Omission (NC) detected by external auditors during the annual conformity assessment audit (ETSI EN 319 401).
  • Detection: The omission was detected by external auditors.
  • Interaction with other factors: Reliance on section 5.7.3: It was assumed that 5.7.3 indirectly covered revocation when the cryptography used no longer guaranteed the binding between the subject and its public key.
  • Root Cause Analysis methodology used: “5 Whys” approach, which, along with external auditors’ comments, identified that the root cause was an erroneous assumption of implicit coverage of the requirement, based on prior interpretations of other clauses (4.9.1 and 5.7.3).

Lessons Learned

  • What went well: The correction and publication of the updated CPS version was completed in less than a week after detecting the omission.
  • What didn’t go well: Excessive reliance on section 5.7.3 to cover “cryptographic obsolescence.”
  • Where we got lucky: No certificates were issued with insecure algorithms during the period when the clause was missing.
  • Additional: Clear textual wording in regulatory policies eliminates ambiguities in future audits or automated revocation implementations.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Define and document a checklist of “required clauses” for section 4.9.1 Revocation Circumstances Prevent Implicit assumption (Root Cause #1) Validated and approved checklist; version 3.10 contains all critical clauses 2025-03-05 Complete

Appendix

N/A. This incident has not led to any misissued certificates.

Report Closure Summary

  • Incident description: Version 3.9 of the Certification Practices Statement (OID 1.3.6.1.4.1.18332.1.9.1.1), section 4.9.1 “Revocation Circumstances,” was published without the clause stating that “when the cryptography used no longer ensures the binding between the subject and the public key, the certificate must be revoked.” This occurred because it was assumed that this obligation was implicitly covered by existing sections 4.9.1 and 5.7.3.
  • Incident Root Cause(s): Erroneous assumption of implicit coverage: it was thought that the obligation to revoke for cryptographic obsolescence was already contemplated in the general revocation criteria (4.9.1) and in the CA’s Continuity Plan (5.7.3).
  • Remediation description: Version 3.10 was published to correct the omission. The necessary clause was added verbatim to 4.9.1, item 2.f), and processes were updated to prevent future errors due to implicit interpretation.
  • Commitment summary: The CA commits to maintaining a checklist of “required clauses” for section 4.9.1 Revocation Circumstances.

All Action Items are completed according to their defined deadlines. We request formal closure of this non-conformity.

Assignee: nobody → yulier.nunez
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2025-07-08.

Flags: needinfo?(incident-reporting)
Whiteboard: [ca-compliance] [audit-finding] → [close on 2025-07-08] [ca-compliance] [audit-finding]
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2025-07-08] [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.