Hi Ben, Ryan, Burton and all:

Camerfirma will present its claims based on a description of the problems found 
by associating the references to the specific bugs.
After making a complete analysis of the bugs as presented by Ben, always 
considering that bugs are the main source of truth, we see that the 
explanations offered by Camerfirma could generally be better developed. We hope 
to make up for these deficiencies with this report.
We have included a list of issues that we consider to be fully addressed in the 
Appendix I: State of the fixed issues.

We will classify the issues in different categories:

•              SUBCA SUPERVISION

•              REVOCATION DELAYS

•              TECHNICAL ISSUES AND AUTOMATISMS
1.- SUBCA SUPERVISION

MULTICERT, INFOCERT, INTESA SANPAOLO.
Issue H: Non-compliant OCSP Responders by Third-Party Subordinates (Dec. 2017)
Issue R: Failure to disclose unconstrained sub-CA (DigitalSign) (2018)
Issue T: Failure to disclose unconstrained sub-CA (MULTICERT) (2018 - 2020)
Issue X: MULTICERT Misissuance (2018 - 2019)
Issue Z: Intesa Sanpaolo Misissuance (2017 - 2020)
Issue BB: Failure to revoke underscores (2019)
Issue DD: Infocert Misissuance (2017 - 2020)
Issue PP: Failure to disclose unconstrained Sub-CA (Government of Andorra) 
(2013 - 2019)
Issue RR: Failure to disclose unconstrained Sub-CA (Intesa Sanpaolo and 
Infocert) (2018 - 2020)
Issue TT: Certificate with Incorrect OrganizationName (Nov. 2020)

In addition to the following requirement stated in the Mozilla policy and just 
in place

•              Requirement of pointing in time audit (PIT) and report (at the 
beginning of each new CA)

•              Requirement of the annual audits and report (from the creation 
of each Intermediate CA)
We are currently carrying out additional controls on the activities of the 
organizations that manage intermediate CAs with different implementation time 
frames:

•              Adoption of a centralised LINTS (the same one used by 
Camerfirma) by all intermediate CAs before issuing certificates. (March 2019 
Multicert and April 2019 Infocert e Intesa SanPaolo)

•              Contractual reinforcement of Camerfirma's rights with regards to 
the activities carried out by Intermediate CAs and their obligation to a 
periodic communication. (October 2019).

•              Contractual rights and tools for Camerfirma to insource, when 
deemed appropriate, intermediate CAs operational activities in order to be able 
to apply all needed (and already implemented for Camerfirma CAs) controls and 
to force certificate revocation in a timely manner.
Planned changes:

•              Stop the issuance of certificates. (January 2021)

•              Implementation of Intermediate CA PIT. (January 2021)

•              Audit by Camerfirma of 100% of the active certificates issued 
(Task carry out during January 2021)

•              Change in the audit process. We are currently requesting the 
audit report to be issued by a recognised auditor. The new process will require 
the audit to be carried out by an auditor selected by Camerfirma. (All new 
audits from January 2021)

•              Technical environment set-up and procedural definition to be 
able to insource the management of operational activities of intermediate CAs 
by the first half of 2021
3.-REVOCATION DELAYS



Issue D: Duplicate subjectAlternativeNames and incorrect Subject fields (April 
2017)

Issue J: Invalid DNS names within certificates (August 2017)

Issue L: Invalid subjectAlternativeName within certificates (July 2017)

Issue N: Improper issuance and failure to revoke intranet certificates (2015 - 
2017)

Issue X: MULTICERT Misissuance (2018 - 2019)

Issue Z: Intesa Sanpaolo Misissuance (2017 - 2020)

Issue BB: Failure to revoke underscores (2019)

Issue PP: Failure to disclose unconstrained Sub-CA (Government of Andorra) 
(2013 - 2019)

Issue DD: Infocert Misissuance (2017 - 2020)

Issue LL: Invalid authorityKeyIdentifier (2003 - 2020)

Issue NN: Incorrect OCSP Delegated Responder Certificate (2013 - 2020)
We face the problem when the customers ask more time to complete certificates 
substitution in their own applications.
Controls already in place:

•              All our External Intermediate CAs and clients have accepted new 
general terms and condition allowing Camerfirma to revoke all the problematic 
certificates without their permission if necessary (October 2019). There are 
not so many problems in reissuing some hundreds of certificates in a couple of 
days, the problem is awaiting critical customers activities (for example Intesa 
Sanpaolo one of the largest banks in Europe) before being able to revoke the 
misissued certificates.

•              We have developed and started using a massive revocation and 
substitution tool to be more effective in that process. (June 2020).



After implementing all those measures, we have noticed that they were not 
enough to comply with the required deadlines, and we are planning to 
incorporate the following additional measures:



•              Implement ACME to control the revocations and substitution 
automatically (planned for June 2021 for Camerfirma infrastructure and to be 
designed for the Intermediate CAs)

•              Limit the number of DNS names that can appear in a certificate 
to make the substitution easier (planned for March 2021 for Camerfirma 
infrastructure and to be designed for the Intermediate CAs)

•              Have the contractual right and the operational procedures in 
place to insource the management of all the operational activities of the 
intermediate CAs (June 2021)

Only In some specific cases where a fast revocation could caused much more 
damages (to the impacted client) than benefits (to the entire community) in 
those cases we asked the community for some extra time.

4.-TECHNICAL ISSUES AND AUTOMATISMS

Issue D: Duplicate subjectAlternativeNames and incorrect Subject fields (April 
2017)
Issue H: Non-compliant OCSP Responders by Third-Party Subordinates (Dec. 2017)
Issue J: Invalid DNS names within certificates (August 2017)
Issue L: Invalid subjectAlternativeName within certificates (July 2017)
Issue P: Invalid characters within the OU field (2018)
Issue X: MULTICERT Misissuance (2018 - 2019)
Issue Z: Intesa Sanpaolo Misissuance (2017 - 2020)
Issue BB: Failure to revoke underscores (2019)
Issue DD: Infocert Misissuance (2017 - 2020)
Issue NN: Incorrect OCSP Delegated Responder Certificate (2013 - 2020)
Issue LL: Invalid authorityKeyIdentifier (2003 - 2020)
Issue UU: Certificate for unregistered domain (Oct. 2020)

Regarding the automations, these are currently implemented:

•              Control of the DNS and Email domain (August 2020)

•              CT Control (April 2017)

•              Control cablint, x509lint and zlint (pre-issuance - 
post-issuance) (January 2019)

•              Syntax control of the domain (August 2020)

•              Control of black and white lists of domains (August 2020)

•              Automatic verification of CAA (June 2020)

•              Additional automatic control to verify the correction of AKI 
extension before certificate issuance (April 2020)

New controls:

•              Control of suspicious activity patterns. (March 2021)

•              Remove fields as OU in the profile and avoiding other manual 
filling fields not validated in the certificate content. We have an exception 
for Spanish Public Administration Requirements where the field OU is mandatory 
for Spanish CAs (discussion https://github.com/cabforum/servercert/pull/225 ) 
(from January 2021).

Besides, in order to be as transparent as possible, each time we discover a new 
certificate misissued, we will review our internal procedure to make sure that 
those situations will always be promptly disclosed in 
https://misissued.com<https://misissued.com/> (for all new certificates 
detected from now on).
Other controls for the incorporation of correct information in the fields that 
automatic controls cannot detect, for example:


  *   Issue HH: EV Certificates with wrong businessCategory (2018 - 2019)

BUG 1600114 Information that shall be included in the BusinessCategory field of 
the EV certificates. If some EV certificates were issued with wrong values 
(there are four values that can be used)

  *   Issue D: Duplicate subjectAlternativeNames and incorrect Subject fields 
(April 2017)

BUG 1667430 Interpretation of what values can place in the stateOrProvinceName 
field
Audit process is the most effective answers to solve such residual problems. We 
will audit 100% of the certificates issued to detect wrong values in all the 
certificate’s fields (100% of certificates issued till January 2021).
Additionally, we must consider the importance of dedicated resources, because 
it has been an important aspect that has influenced past registered issues.
We think that thanks to the increased team, as described before, we have 
achieved a better issue and compliance management. For the future, our 
objective is to have a more proactive attitude to avoid incidents instead of a 
reactive action to quickly fix them.
Adding more employees, by itself, cannot be considered a solution. But the 
origin of some of the issues is a poor follow-up. This is the case with bugs, 
audits, activities of Intermediate CAs or matters concerning the community. 
Therefore, we believe that a proper sizing of the team can be considered an 
important structural change.  Right sizing the department will improve 
operational and administrative management processes. Coupled with the 
automation of the processes to minimize manual operations, this will give us 
the quality we aim for.

Planned Changes:

•              The exclusive dedication of the quality area in Camerfirma to 
the management of SSL certificates reinforced with a new recruitment to check 
100% SSL certificates issued. (January 2021)

•              Increase resources exclusively dedicated during the next year to 
the creation and maintenance of automatisms in the process of generating SSL 
certificates. January (2021)


Appendix I: State of the issues

Closed and remediated issues:

  *   Issue B: Delegation of validation to StartCom following Mozilla's 
distrust of StartCom (March 2017)
  *   Issue F: Ignoring CAA based on another CA's Certificate Transparency 
disclosure (Nov. 2017)
  *   Issue P: Invalid characters within the OU field (2018).
  *   Issue V: Audit Qualifications (2017 - 2018).
  *   Issue H: Non-compliant OCSP Responders by Third-Party Subordinates (Dec. 
2017).
  *   Issue LL: Invalid authorityKeyIdentifier (2003 - 2020).
Closed but not considered remediated issues:

  *   Issue JJ: Unresolvable Gap in Audits (Camerfirma) (2018 - 2019).
  *   Issue FF: Intentional unrevocation of externally-operated sub-CA (2019).
Regards
Ramiro.

De: Burton <j...@0.me.uk>
Enviado el: martes, 15 de diciembre de 2020 19:39
Para: Ramiro Muñoz <rami...@camerfirma.com>
CC: r...@sleevi.com; mozilla-dev-security-policy 
<mozilla-dev-security-pol...@lists.mozilla.org>; Ben Wilson 
<bwil...@mozilla.com>
Asunto: Re: Summary of Camerfirma's Compliance Issues

It doesn't look great to the community when a CA that is under investigation 
for serious compliance issues asks for more time to provide detailed answers.

Also you said 'accurate answers' ? Were the answers you were going to post 
today inaccurate in some way?

Burton

On Tue, Dec 15, 2020 at 6:13 PM Ramiro Muñoz via dev-security-policy 
<dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>>
 wrote:
Hi Ryan

Thanks. We will take into account your observations.
As I said we planed to send the formal answer today but the team has asked me 
for more time in order to give a more accurate answer. We plan to postpone to 
this Friday.

KR
Ramiro


De: Ryan Sleevi <r...@sleevi.com<mailto:r...@sleevi.com>>
Enviado el: lunes, 14 de diciembre de 2020 22:41
Para: Ramiro Muñoz <rami...@camerfirma.com<mailto:rami...@camerfirma.com>>
CC: r...@sleevi.com<mailto:r...@sleevi.com>; Ben Wilson 
<bwil...@mozilla.com<mailto:bwil...@mozilla.com>>; mozilla-dev-security-policy 
<mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>>
Asunto: Re: Summary of Camerfirma's Compliance Issues

Thanks Ramiro for the update.

I do want to make sure we're on the same page. Responding point-by-point to the 
issues would probably be the least productive path forward. If there are 
specific disagreements with the facts as presented, which were taken from the 
Bugzilla reports, it would be good to highlight that. However, I believe the 
intent is that the Bugzilla report is the source of truth, so if there are 
details that were *not* on the incident reports, I would say that's more 
concerning than it is reassuring.

I'm a bit concerned to see your latest reply still highlight the "increased the 
PKI team", since that's been a sort of repeated refrain (e.g. Issue T, Issue 
BB, Issue PP). I don't disagree that it's important to ensure that there are 
adequate resources devoted to compliance _and_ development, but I think it's 
also important to make sure that the solution is not to throw more people at 
the problem.

While the integrity of the CA is perhaps not as obviously cut and dry, as was 
the case with WoSign/StartCom, I do believe it's reasonable to ask whether or 
not the CA has the skills, expertise, and understanding of the systemic issues 
to effectively manage things going forward, especially when we have seen the 
regular repetition of issues. This suggests more systemic fixes are needed, but 
also suggests that there are more systemic flaws in how things are operated, 
designed, and administered that do call into question the trustworthiness of 
the current infrastructure.

If Camerfirma were approaching with a new CA/new certificate hierarchy, it 
would be reasonable to ask why, given all of these incidents, Camerfirma should 
be included, since it puts a lot of risk onto the community. Regaining trust 
and reputation, once lost, is incredibly difficult, and requires going above 
and beyond. I hope that, in your formal response, you provide a holistic 
picture of how Camerfirma has changed its operations, implementation, 
infrastructure, management process, policies, and quite frankly, the use 
cases/subscribers that it targets with these certificates, so that the 
community can make an informed decision about risk.

Similarly, in thinking about what this would be for a "new" PKI, and how 
difficult it would be, given the current evidence, to see that as good for 
users, it's also worth asking what should happen with the current PKI. Should 
we continue to assume that the implementation of the EV guidelines is correct, 
even though we have ample evidence of basic RFC 5280 and BR violations? Should 
we consider sunsetting (e.g. with a notBefore restriction) trust? Would it be 
reasonable to remove trust altogether?

For example, Camerfirma currently has four roots ([1], [2], [3], [4]). [1] 
appears to have issued less than 3,500 still valid certificates, [2] / [3] are 
only trusted for e-mail, and [4] seems to be a super-CA of sorts (with sub-CAs 
operated by Intesa Sanpaolo, Infocert, Multicert, and Govern d'Andorra). For 
the sub-CAs that aren't constrained/revoked, it seems Intesa Sanpaolo has only 
issued ~2200 certificates, Infocert ~650, and Multicert ~3000.

Is that accurate? I totally could have made a mistake here, since this was just 
manually inspecting every sub-CA from Camerfirma and I totally could have 
clicked wrong, but that suggests that there is... very little practical risk 
here to removal, compared to the rather significant risk of having a CA that 
has established a pattern of compliance and supervision issues.

[1] https://crt.sh/?caid=869
[2] https://crt.sh/?caid=140
[3] https://crt.sh/?caid=8453
[4] https://crt.sh/?caid=1114
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to