Status

NSS
CA Certificate Root Program
--
enhancement
RESOLVED FIXED
7 years ago
8 months ago

People

(Reporter: Kathleen Wilson, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Incident Action Items)

(Assignee)

Description

7 years ago
The purpose of this bug is to track the remaining action items for Comodo as a result of the incident of compromised RAs. 

As an immediate response to the incident Comodo removed RA privileges from all of their enterprises/partners/resellers.  All validation and checking previously being implemented by those external partners is currently being undertaken by Comodo internally. It is Mozilla’s expectation that Comodo will not re-enable any RAs until the following action items have been completed.

1) Have WebTrust auditors report on Comodo’s assertion that Comodo (and not a third party) is performing domain control checking for all SSL certificates being issued.

2) Implement 2-factor authentication for any account that can approve or issue certs on behalf of Comodo.

3) Restrict RAs to certain IPs.

4) Implement a hierarchy of internally-operated intermediate CAs for single or related groups of RAs.

5) Implement high-value domain flagging and apply it to all orders placed through any account, without exception.

6) Have WebTrust auditors report on Comodo’s assertions that the controls listed above are in place, and make this audit report available to Mozilla. 

7) Update Comodo’s CP/CPS to include the items listed above, so they will be checked in all future annual audits.
(Assignee)

Updated

7 years ago
Status: NEW → ASSIGNED

Comment 1

7 years ago
Hi Kathleen,
	Our progress on these items is as follows:

1) Auditors report
I confirm that it is our intention to do this.  I don't yet have a date, but I will update this bug when I do.

2) 2 Factor authentication for accounts that can approve or issue.
The roll-out of this is in progress and we expect it to be completed on or before 2nd June 2011.

3) Restrict RAs to certain IPs
This has been implemented.

4) Hierarchy of internally-operated intermediate CAs for single or related groups of RAs
This has been implemented for Server certificates, and we expect it to be completed for object-signing and client and email certificates by 2nd June 2011.

5) Implement high-value domain flagging and apply it to all orders placed through any account, without exception.
This has been implemented.

6) Have WebTrust auditors report on Comodo’s assertions that the controls listed above are in place, and make this audit report available to Mozilla. 
I confirm that it is our intention to do this.  I don't yet have a date, but I will update this bug when I do.

Regards
Robin Alden
Comodo

Comment 2

7 years ago
7) Update CP/CPS to include the items listed above, so they will be checked in all future annual audits.
In progress.  I will post here when the updates are published to our public repository.

Regards
Robin Alden
Comodo

Comment 3

7 years ago
Hi Kathleen,
	Some further progress to report.

1) Auditor's report on the fact of Comodo itself performing domain control checking for all SSL certificates being issued.
It is still our intention to do this.  I will update this bug when I have a firm date or at least further progress to report.
For clarity, Comodo does itself perform domain control checking for all SSL certificates being issued.  It is not the implementation of the control that is delayed, but the provision of an auditor's report.

2) 2 Factor authentication for accounts that can approve or issue.
This has been implemented.

3) Restrict RAs to certain IPs
This has been implemented.

4) Hierarchy of internally-operated intermediate CAs for single or related groups of RAs
This has been implemented.
The implementation is complete for Server certificates, object-signing, client, and email certificates.
We no longer issue direct from root certificates for any of these classes of subscriber certificate.

5) Implement high-value domain flagging and apply it to all orders placed through any account, without exception.
This has been implemented.

6) Have WebTrust auditors report on Comodo’s assertions that the controls listed above are in place, and make this audit report available to Mozilla. 
I confirm that it is our intention to do this.  I will get this done along with #1 and update this bug when I have further progress to report.

7) Update CP/CPS to include the items listed above, so they will be checked in all future annual audits.
Still in progress.  I will post here when the updates are published to our public repository.

Regards
Robin Alden
Comodo
(Assignee)

Comment 4

5 years ago
Hi Robin, 

Please update this bug with current status in response to Comment #3.

Also, what form of two-factor auth are you using per your response to action item #2? 

Regards,
Kathleen

Comment 5

5 years ago
Hi Kathleen,
                Here are some updates.  I regret that we have not yet been able to close this off.

> 1) Auditor's report on the fact of Comodo itself performing domain control
> checking for all SSL certificates being issued.
     I should have a report from our auditors to provide to Mozilla shortly.  The production of the report has become entangled with the completion of our current WebTrust report and I think they will now be coming out together.

> 
> 2) 2 Factor authentication for accounts that can approve or issue.
I’ve been asked to provide information about the nature of the two-factor authentication we use.
The two factors we use for authentication are:
1) Something you know: - Username and password
2) Something you have: - A FIPS 140-2 certified smartcard (or USB token) containing an X.509 certificate with a 2048 bit RSA key.  The certificate is used to setup and maintain communication channels with SSL Client authentication.

> 
> 3) Restrict RAs to certain IPs
> This has been implemented.
> 
> 4) Hierarchy of internally-operated intermediate CAs for single or related
> groups of RAs
We stopped issuing certificates from our Root CAs in 2011.
 
For each of the types (‘Usages’, really) of certificate we issue these are the dates we stopped issuing directly from a Root CA and also the latest expiry date of an end-entity certificate issued from a root.
 
Code-signing certificates: Last issued 7th June 2011.  Latest expiry 5th June 2016.
Client (& email) certificate: Last issued 7th June 2011.  Latest expiry 2nd June 2016.
Server (SSL) certificate: Last issued 8th April 2011.  Latest expiry 7th July 2016.
> 
> 5) Implement high-value domain flagging and apply it to all orders placed
> through any account, without exception.
> This has been implemented.
> 
> 6) Have WebTrust auditors report on Comodo’s assertions that the controls
> listed above are in place, and make this audit report available to Mozilla. 
> 
> 7) Update CP/CPS to include the items listed above, so they will be checked
> in all future annual audits.
Our latest CPS is at http://www.comodo.com/repository/Comodo_CA_CPS_4.0.pdf
Point #2 of this bug is dealt with in section 1.10.1
Point #3 of this bug is dealt with in the final paragraph of 1.10.
Point #4 of this bug is dealt with in section 1.8

Regards,
Robin
(Assignee)

Comment 6

5 years ago
(In reply to Robin Alden from comment #5)
> Here are some updates.  

Thanks!

I have reviewed CPS 4.0 and confirmed the updates as stated.

Actions items #1 and #6 regarding audit statements are still open.
Whiteboard: Actions #1 and #6 -- Audit Statements
(Assignee)

Comment 7

5 years ago
(In reply to Robin Alden from comment #5)
>> 1) Auditor's report on the fact of Comodo itself performing domain control
>> checking for all SSL certificates being issued.
>      I should have a report from our auditors to provide to Mozilla shortly.
> The production of the report has become entangled with the completion of our
> current WebTrust report and I think they will now be coming out together.
> 
> > 
> > 6) Have WebTrust auditors report on Comodo’s assertions that the controls
> > listed above are in place, and make this audit report available to Mozilla. 
> > 

Hi Robin,

Please update this bug with a link to the audit statement.

If the audit statement is not yet available, please provide a date when you think it will be.

Regards,
Kathleen

Comment 8

5 years ago
Hi Kathleen,
  We expect to have this report for 20th January.

Regards,
Robin
(Assignee)

Comment 9

5 years ago
(In reply to Robin Alden from comment #8)
> Hi Kathleen,
>   We expect to have this report for 20th January.


Please provide an update in this bug.

Comment 10

5 years ago
Hi Kathleen,
   I still don't have the report from the auditors.  The sample work is complete but  I don't yet have a date for the report.  
I hope to have it in the next two weeks.  I appreciate that we are stretching your patience with this item.  I will provide a weekly update to this bug until the report is delivered.

Regards
Robin

Comment 11

5 years ago
(In reply to Robin Alden from comment #3)
> 6) Have WebTrust auditors report on Comodo’s assertions that the controls
> listed above are in place, and make this audit report available to Mozilla. 
> I confirm that it is our intention to do this.  I will get this done along
> with #1 and update this bug when I have further progress to report.
> 
> 7) Update CP/CPS to include the items listed above, so they will be checked
> in all future annual audits.
> Still in progress.  I will post here when the updates are published to our
> public repository.
> 
> Regards
> Robin Alden
> Comodo

2011-07-11 until 2013-03-07 and still no report?
Why is this not remarked in your report from March 31, 2012 at your WebTrust?

https://cert.webtrust.org/SealFile?seal=1410&file=pdf

Certainly your auditor must been aware of this incident since this bug were public 27 days after your "audit".

In this same statement it says;
 ‘Comodo EV SGC SSL Certificate’ and ‘Comodo EV SSL Certificate’ products, during the period from April 1, 2011
through March 31, 2012, Comodo has:
• Disclosed its EV certificate life cycle ma
nagement policies and procedures, including
its commitment to provide EV certificates in conformity with the
CA/Browser Forum
Guidelines for Extended Validation,
and provided such services in accordance with its
disclosed practices in its
Certificate Practice Statement

 and
• Maintained effective controls to pr
ovide reasonable assurance that:
-
EV Subscriber information was properly collected, authenticated (for the
registration activities performed by Comodo) and verified, and
-
The integrity of keys and EV certific
ates it manages was established and
protected throughout their life cycles. 

^ This last line is rather interesting in this subject.
And yes, I quoted your EV audit, but it's the same statements in your CA Audit. Same period on this audit.
https://cert.webtrust.org/SealFile?seal=1409&file=pdf

I must ask on behalf of the general Mozilla users, why this timespan has been allowed? If I fail to deliver on a given date to ANY CA they will debit me.
I encourage Mozilla to be harder against CAs, so they will understand the seriousness in PKI. In light of all recent events the past years now, Mozilla must act a lot harder on any policy violation to make it publicly aware that it is not tolerable.
(Assignee)

Comment 12

5 years ago
I received an audit report about the procedures that Ernst & Young performed to confirm that Comodo (and not a third party) is performing domain control validation, that 2-factor authentication is in place, that RAs are restricted to certain IPs, and that high-value domain flagging is in place. 

The audit report contains company-sensitive information, so it cannot be attached to this bug. Mozilla CA policy and practice is to rely on documentation and audit statements that are publicly available.

Therefore, I asked the Comodo representatives to work with the auditor to create a a public-facing summary statement that I may attach to this bug.
(Assignee)

Comment 13

5 years ago
AICPA auditors are not allowed to make public-facing audit statements outside the scope of approved audit criteria (e.g. WebTrust).

Now that there are audit criteria for the CA/Browser Forum Baseline Requirements, it is my opinion that the BR audit statement will be sufficient to satisfy the request for a public-facing audit statement to assert completion of the items in this bug. Relevant BRs include #11.1.1, #14.2.4, and #16.5.
(Assignee)

Updated

a year ago
Whiteboard: Actions #1 and #6 -- Audit Statements → Incident Action Items
(Assignee)

Comment 14

a year ago
My opinion is that these action items were completed a while ago.
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED

Updated

8 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.