The following incident report regarding the item of undisclosed certificates has recently been posted to
https://bugzilla.mozilla.org/show_bug.cgi?id=1455132 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. SwissSign was notified about the 5 undisclosed intermediate certificates over mozilla.dev.security.policy forum, on 2018-10-09 https://groups.google.com/d/msg/mozilla.dev.security.policy/Xb1VILzt9xk/tpW8tiE5BAAJ 2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done. Actions taken: 2018-10-09: Incident Notification by mozilla.dev.security.policy forum 2018-10-10: The 5 undisclosed certificates (see comment #7) were carefully examined by SwissSign and immediately disclosed, on 2018-10-10, the day after the notification. 2018-10-10: Juerg Eiholzer wrote an update comment (comment #9) 2018-10-15: Juerg Eiholzer provides the incident report 3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation. We didn't stop the CA issuing certificates, because we immediately solved the problem of undisclosed intermediate certificates and no misissuance of leaf certificates happened. 4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. There is neither evidence nor indication that misissuance of leaf certificates occurred. 5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. n/a, since no real misissuance happened. 6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. SwissSign's process for the retrospective correction of the disclosure for the intermediate certificates didn't work properly. This is especially due to the exchange of responsible persons within the organization. 7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. SwissSign checked the description of the procedure of the key ceremony against the disclose requirements, stated in Mozilla Root Store Policy Version 2.6.1, section 5.3.2. The explicit task of “disclosure of CA within 7 days” is mentioned and is part of the ceremony protocol, inclusive notification to the SwissSign compliance office, which is responsible for the entry to the CCADB. Education of the responsible staff again took place. 2018-10-15 / [email protected] _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
