Thank you for your feedback, I open an incident bug in Bugzilla Amir Omidi a következőt írta (2023. július 19., szerda, 20:36:08 UTC+2):
> Per https://www.ccadb.org/cas/incident-report#incident-reports, this > mailing list is not the correct place for the incident report. Incident > reports should go: > https://bugzilla.mozilla.org/buglist.cgi?product=CA%20Program&component=CA%20Certificate%20Compliance&list_id=16291008 > > On Wednesday, July 19, 2023 at 2:09:24 PM UTC-4 Sándor dr. Szőke wrote: > >> MICROSEC INCIDENT REPORT - No OCSP status response for 2 Precertificates >> ------------------------------ >> >> I -- How your CA first became aware of the problem (e.g. via a problem >> report submitted to your Problem Reporting Mechanism, a discussion in >> mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and >> the time and date. >> >> Microsec received an iformation by phone, that 2 Microsec OCSP problems >> reported on the following site: https://sslmate.com/labs/ocsp_watch/ >> ------------------------------ >> >> II -- A timeline of the actions your CA took in response. A timeline is a >> date-and-time-stamped sequence of all relevant events. This may include >> events before the incident was reported, such as when a particular >> requirement became applicable, or a document changed, or a bug was >> introduced, or an audit was done. >> >> 2023-07-18 19:55 CET >> >> - receive a notification phone call about the problem >> >> 2023-07-18 19:57 CET >> >> - Microsec opened an internal JIRA ticket to record the problem >> >> 2023-07-18 20:11 CET >> >> - initiating an investigation to identify the cause(s) of the problem >> and to prevent further similar errors >> >> 2023-07-18 20:49 CET >> >> - information collected about the problematic precertificates >> >> 2023-07-18 20:56 CET >> >> - finding the reason of the problem >> >> 2023-07-18 21:00 CET >> >> - adding the two missing precertificates to our OCSP responders >> database >> - revoking the two precertificates >> - error messages disappeard from the >> https://sslmate.com/labs/ocsp_watch/ >> >> ------------------------------ >> >> III -- Whether your CA has stopped, or has not yet stopped, issuing >> certificates with the problem. A statement that you have will be considered >> a pledge to the community; a statement that you have not requires an >> explanation. >> >> >> - The two problems happened in different time, so they were >> independent events. >> - The investigation started after office hours, when there is no >> certificate issuance. >> - The problem was temporarily solved very quickly, so there was no >> need to stop the certificate issuance. >> >> ------------------------------ >> >> IV -- A summary of the problematic certificates. For each problem: number >> of certs, and the date the first and last certs with that problem were >> issued. >> >> 2022-12-16 >> >> - One precertificate without issued TLS certificate - >> https://crt.sh/?id=8214560966 >> >> 2023-04-14 >> >> - One precertificate without issued TLS certificate - >> https://crt.sh/?id=9146975721 >> >> ------------------------------ >> >> V -- The complete certificate data for the problematic certificates. The >> recommended way to provide this is to ensure each certificate is logged to >> CT and then list the fingerprints or crt.sh IDs, either in the report or as >> an attached spreadsheet, with one list per distinct problem. >> >> >> domain >> crt.sh link >> dtk.kszdr.gov.hu >> https://crt.sh/?id=8214560966 >> smtp1.mkb.hu >> https://crt.sh/?id=9146975721 >> ------------------------------ >> >> VI -- Explanation about how and why the mistakes were made or bugs >> introduced, and how they avoided detection until now. >> >> We performed the initial investigation and we found the following >> >> - We could find in the CA log entries, that in booth cases an error >> happened during the certificate issuance: >> >> -- the precertificate was created successfully >> >> -- the precertificate transmitted to at least one log server successfully >> >> -- the CA software could not reach the necessary number of log servers >> >> -- the certificate issuance process was terminated with an error status >> >> -- the TLS certificate was not issued >> >> -- due to the improper error management flow installed in the CA >> software, the precertificate has not been added to the OCSP responders >> database. >> >> - After the unsuccessful issuance, the CA created a new >> precertificate with the same plublic key and with new serial number, and >> with that the certificate issuance was successful. >> >> Summary of the findings >> >> The problem was caused by a configuration problem in the CA program >> >> - the precertificate was not added to the OCSP responders database, >> when at least one log server could respond with an SCT >> >> ------------------------------ >> >> VII -- List of steps your CA is taking to resolve the situation and >> ensure such issuance will not be repeated in the future, accompanied with a >> timeline of when your CA expects to accomplish these things. >> >> Immediate actions >> >> - Microsec added the two missing precertificates to its OCSP >> responders database >> - Microsec revoked the two problematic precertificates immediately >> - A quick initial investigation was made to find out the reason of >> the problem. >> - Microsec identified the causes of the problem as you see it above. >> - Microsec made a quick fix on the CA program, which reduces the >> chance to have this type of problem again >> - Microsec opened an incident bug in Mozilla's Bugzilla with the >> present report. >> >> ------------------------------ >> Further planned actionsDeadline: 2023-08-20 >> >> - Microsec will make a more detailed investigation on the CA software >> and makes further changes if necessary to prevent this problem happening >> again. >> - Microsec will develop an automatic tool tho check the >> https://sslmate.com/labs/ocsp_watch/ daily >> >> -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/be775cee-c292-43d7-9ea8-507f5db8ddcen%40ccadb.org.
