Hi Ben, Ryan, Burton and all:

Camerfirma will present its claims based on a description of the problems found 
by associating the references to the specific bugs. 
After making a complete analysis of the bugs as presented by Ben, always 
considering that bugs are the main source of truth, we see that the 
explanations offered by Camerfirma could generally be better developed. We hope 
to make up for these deficiencies with this report.
We have included a list of issues that we consider to be fully addressed in the 
Appendix I: State of the fixed issues. 

We will classify the issues in different categories:
•       SUBCA SUPERVISION 
•       REVOCATION DELAYS
•       TECHNICAL ISSUES AND AUTOMATISMS 
1.- SUBCA SUPERVISION 

MULTICERT, INFOCERT, INTESA SANPAOLO.
Issue H: Non-compliant OCSP Responders by Third-Party Subordinates (Dec. 2017)
Issue R: Failure to disclose unconstrained sub-CA (DigitalSign) (2018)
Issue T: Failure to disclose unconstrained sub-CA (MULTICERT) (2018 - 2020)
Issue X: MULTICERT Misissuance (2018 - 2019)
Issue Z: Intesa Sanpaolo Misissuance (2017 - 2020)
Issue BB: Failure to revoke underscores (2019)
Issue DD: Infocert Misissuance (2017 - 2020)
Issue PP: Failure to disclose unconstrained Sub-CA (Government of Andorra) 
(2013 - 2019)
Issue RR: Failure to disclose unconstrained Sub-CA (Intesa Sanpaolo and 
Infocert) (2018 - 2020)
Issue TT: Certificate with Incorrect OrganizationName (Nov. 2020)

In addition to the following requirement stated in the Mozilla policy and just 
in place 
•       Requirement of pointing in time audit (PIT) and report (at the 
beginning of each new CA)
•       Requirement of the annual audits and report (from the creation of each 
Intermediate CA)
We are currently carrying out additional controls on the activities of the 
organizations that manage intermediate CAs with different implementation time 
frames:
•       Adoption of a centralised LINTS (the same one used by Camerfirma) by 
all intermediate CAs before issuing certificates. (March 2019 Multicert and 
April 2019 Infocert e Intesa SanPaolo)
•       Contractual reinforcement of Camerfirma's rights with regards to the 
activities carried out by Intermediate CAs and their obligation to a periodic 
communication. (October 2019).
•       Contractual rights and tools for Camerfirma to insource, when deemed 
appropriate, intermediate CAs operational activities in order to be able to 
apply all needed (and already implemented for Camerfirma CAs) controls and to 
force certificate revocation in a timely manner.
Planned changes:
•       Stop the issuance of certificates. (January 2021)
•       Implementation of Intermediate CA PIT. (January 2021)
•       Audit by Camerfirma of 100% of the active certificates issued (Task 
carry out during January 2021)
•       Change in the audit process. We are currently requesting the audit 
report to be issued by a recognised auditor. The new process will require the 
audit to be carried out by an auditor selected by Camerfirma. (All new audits 
from January 2021)
•       Technical environment set-up and procedural definition to be able to 
insource the management of operational activities of intermediate CAs by the 
first half of 2021
3.-REVOCATION DELAYS

Issue D: Duplicate subjectAlternativeNames and incorrect Subject fields (April 
2017)
Issue J: Invalid DNS names within certificates (August 2017)
Issue L: Invalid subjectAlternativeName within certificates (July 2017)
Issue N: Improper issuance and failure to revoke intranet certificates (2015 - 
2017)
Issue X: MULTICERT Misissuance (2018 - 2019)
Issue Z: Intesa Sanpaolo Misissuance (2017 - 2020)
Issue BB: Failure to revoke underscores (2019)
Issue PP: Failure to disclose unconstrained Sub-CA (Government of Andorra) 
(2013 - 2019)
Issue DD: Infocert Misissuance (2017 - 2020)
Issue LL: Invalid authorityKeyIdentifier (2003 - 2020)
Issue NN: Incorrect OCSP Delegated Responder Certificate (2013 - 2020)
We face the problem when the customers ask more time to complete certificates 
substitution in their own applications. 
Controls already in place:
•       All our External Intermediate CAs and clients have accepted new general 
terms and condition allowing Camerfirma to revoke all the problematic 
certificates without their permission if necessary (October 2019). There are 
not so many problems in reissuing some hundreds of certificates in a couple of 
days, the problem is awaiting critical customers activities (for example Intesa 
Sanpaolo one of the largest banks in Europe) before being able to revoke the 
misissued certificates.
•       We have developed and started using a massive revocation and 
substitution tool to be more effective in that process. (June 2020).

After implementing all those measures, we have noticed that they were not 
enough to comply with the required deadlines, and we are planning to 
incorporate the following additional measures: 

•       Implement ACME to control the revocations and substitution 
automatically (planned for June 2021 for Camerfirma infrastructure and to be 
designed for the Intermediate CAs)
•       Limit the number of DNS names that can appear in a certificate to make 
the substitution easier (planned for March 2021 for Camerfirma infrastructure 
and to be designed for the Intermediate CAs)
•       Have the contractual right and the operational procedures in place to 
insource the management of all the operational activities of the intermediate 
CAs (June 2021)

Only In some specific cases where a fast revocation could caused much more 
damages (to the impacted client) than benefits (to the entire community) in 
those cases we asked the community for some extra time. 

4.-TECHNICAL ISSUES AND AUTOMATISMS

Issue D: Duplicate subjectAlternativeNames and incorrect Subject fields (April 
2017)
Issue H: Non-compliant OCSP Responders by Third-Party Subordinates (Dec. 2017) 
Issue J: Invalid DNS names within certificates (August 2017) 
Issue L: Invalid subjectAlternativeName within certificates (July 2017)
Issue P: Invalid characters within the OU field (2018)
Issue X: MULTICERT Misissuance (2018 - 2019)
Issue Z: Intesa Sanpaolo Misissuance (2017 - 2020)
Issue BB: Failure to revoke underscores (2019)
Issue DD: Infocert Misissuance (2017 - 2020)
Issue NN: Incorrect OCSP Delegated Responder Certificate (2013 - 2020) 
Issue LL: Invalid authorityKeyIdentifier (2003 - 2020)
Issue UU: Certificate for unregistered domain (Oct. 2020)

Regarding the automations, these are currently implemented:
•       Control of the DNS and Email domain (August 2020)
•       CT Control (April 2017)
•       Control cablint, x509lint and zlint (pre-issuance - post-issuance) 
(January 2019) 
•       Syntax control of the domain (August 2020) 
•       Control of black and white lists of domains (August 2020) 
•       Automatic verification of CAA (June 2020)
•       Additional automatic control to verify the correction of AKI extension 
before certificate issuance (April 2020)

New controls:
•       Control of suspicious activity patterns. (March 2021)
•       Remove fields as OU in the profile and avoiding other manual filling 
fields not validated in the certificate content. We have an exception for 
Spanish Public Administration Requirements where the field OU is mandatory for 
Spanish CAs (discussion https://github.com/cabforum/servercert/pull/225 ) (from 
January 2021).

Besides, in order to be as transparent as possible, each time we discover a new 
certificate misissued, we will review our internal procedure to make sure that 
those situations will always be promptly disclosed in https://misissued.com 
(for all new certificates detected from now on).
Other controls for the incorporation of correct information in the fields that 
automatic controls cannot detect, for example: 

-       Issue HH: EV Certificates with wrong businessCategory (2018 - 2019)
BUG 1600114 Information that shall be included in the BusinessCategory field of 
the EV certificates. If some EV certificates were issued with wrong values 
(there are four values that can be used) 
-       Issue D: Duplicate subjectAlternativeNames and incorrect Subject fields 
(April 2017)
BUG 1667430 Interpretation of what values can place in the stateOrProvinceName 
field
Audit process is the most effective answers to solve such residual problems. We 
will audit 100% of the certificates issued to detect wrong values in all the 
certificate’s fields (100% of certificates issued till January 2021).
Additionally, we must consider the importance of dedicated resources, because 
it has been an important aspect that has influenced past registered issues.
We think that thanks to the increased team, as described before, we have 
achieved a better issue and compliance management. For the future, our 
objective is to have a more proactive attitude to avoid incidents instead of a 
reactive action to quickly fix them.
Adding more employees, by itself, cannot be considered a solution. But the 
origin of some of the issues is a poor follow-up. This is the case with bugs, 
audits, activities of Intermediate CAs or matters concerning the community. 
Therefore, we believe that a proper sizing of the team can be considered an 
important structural change.  Right sizing the department will improve 
operational and administrative management processes. Coupled with the 
automation of the processes to minimize manual operations, this will give us 
the quality we aim for.

Planned Changes:
•       The exclusive dedication of the quality area in Camerfirma to the 
management of SSL certificates reinforced with a new recruitment to check 100% 
SSL certificates issued. (January 2021)
•       Increase resources exclusively dedicated during the next year to the 
creation and maintenance of automatisms in the process of generating SSL 
certificates. January (2021)

Appendix I: State of the issues

Closed and remediated issues:
-       Issue B: Delegation of validation to StartCom following Mozilla's 
distrust of StartCom (March 2017) 
-       Issue F: Ignoring CAA based on another CA's Certificate Transparency 
disclosure (Nov. 2017)
-       Issue P: Invalid characters within the OU field (2018).
-       Issue V: Audit Qualifications (2017 - 2018).
-       Issue H: Non-compliant OCSP Responders by Third-Party Subordinates 
(Dec. 2017). 
-       Issue LL: Invalid authorityKeyIdentifier (2003 - 2020).

Closed but not considered remediated issues:
-       Issue JJ: Unresolvable Gap in Audits (Camerfirma) (2018 - 2019). 
-       Issue FF: Intentional unrevocation of externally-operated sub-CA (2019).
Regards
Ramiro. 






_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to