Apple: Patch Management

2019-11-22 Thread Apple CA via dev-security-policy
On November 22, Apple submitted an incident report: 
https://bugzilla.mozilla.org/show_bug.cgi?id=1598829, which is reposted below.

Incident Report

1. How your CA first became aware of the problem (e.g. via a problem report 
submitted to your Problem Reporting Mechanism, a discussion in 
mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the 
time and date.

On 13-November-2018 at 16:00 PT, we completed a more in-depth investigation 
into our key control used to determine if security patches should be applied 
(automated vulnerability scans) and determined that while it was possible the 
vulnerability scanner would detect a vulnerability with EJBCA, it was not 
likely. We also identified that since our review of EJBCA releases and 
decisions about upgrading was not a key control, it was not provided to the 
auditors. Based on this information we committed to opening this incident 
report in Comment 13 of the Apple OCSP responders return responses with 
incorrect issuer incident report. For clarity, key controls are mapped to 
WebTrust control objectives, and non-key controls are performed operationally 
but not provided to the auditors.

2. A timeline of the actions your CA took in response. A timeline is a 
date-and-time-stamped sequence of all relevant events. This may include events 
before the incident was reported, such as when a particular requirement became 
applicable, or a document changed, or a bug was introduced, or an audit was 
done.

14-October-2019 at 15:08 PT - We internally contemplated whether running 
version 4.0.14 could be a potential Network and Certificate System Security 
Requirements (NCSSR) violation, but based on our understanding at the time, we 
determined it was not a violation.

17-October-2019 at 18:33 PT - We posted the Apple OCSP responders return 
responses with incorrect issuer incident report.

17-October-2019 at 19:20 PT - We received Comment #5 questioning the version of 
software we were running on our OCSP service.

21-October-2019 at 9:00 PT - As part of our ongoing investigation related to 
the Apple OCSP responders return responses with incorrect issuer report we took 
a closer look at our software management practices and the CA/Browser Forum 
NCSSR which requires that CAs “Apply recommended security patches to 
Certificate Systems within six (6) months of the security patch’s availability, 
unless the CA documents that the security patch would introduce additional 
vulnerabilities or instabilities that outweigh the benefits of applying the 
security patch.”.

24-October-2019 at 21:54 PT - As part of Comment 6 of Apple OCSP responders 
return responses with incorrect issuer, we committed to opening a separate bug 
with more details.

29-October-2019 from 11:25 - 11:58 PT - Notified the Apple Policy Authority, 
DigiCert and Sectigo (Root vendors), Apple, Microsoft, Mozilla, Google, and 
Oracle (Root programs), and Ernst & Young (WebTrust assessors) of a potential 
incident.

31-October-2019 at 21:36 PT - We posted Comment 10 to the Apple OCSP responders 
return responses with incorrect issuer incident report in which we stated that 
our practices and controls for both the OCSP software and CA software were 
compliant with the NCSSR.

31-October-2019 from 21:38 - 21:40 PT - Notified the Apple Policy Authority, 
DigiCert and Sectigo (Root vendors), Apple, Microsoft, Mozilla, Google, and 
Oracle (Root programs), and Ernst & Young (WebTrust assessors).

13-November-2018 at 16:00 PT - We completed a more in-depth investigation into 
our key control used to determine if security patches should be applied and 
determined that while it was possible the vulnerability scanner would detect a 
vulnerability with EJBCA, it was not likely. We also identified that since our 
review of EJBCA releases and decisions about upgrading was not a key control, 
it was not provided to the auditors. Therefore, we came to the conclusion that 
our key control does not go far enough to meet the requirements specified in 1l 
of the NCSSR. Based on this information, we committed to opening this incident 
report in Comment 13 with more details.

14-November-2019 from 14:51 - 14:53 PT - Notified the Apple Policy Authority, 
DigiCert and Sectigo (Root vendors), Apple, Microsoft, Mozilla, Google, and 
Oracle (Root programs), and Ernst & Young (WebTrust assessors).

14-November-2019 at 16:00 PT - We made our review of software releases and 
decisions about upgrading a key control.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates 
with the problem. A statement that you have will be considered a pledge to the 
community; a statement that you have not requires an explanation.

No non-compliant certificates were issued. We made our review of software 
releases and decisions about upgrading a key control.

4. A summary of the problematic certificates. For each problem: number of 
certs, and the date the first and last certs with that problem were 

IdenTrust Undisclosed Unrevoked ICA’s

2019-11-22 Thread IdenTrust Inc via dev-security-policy
We have added Bug 1598807 
(https://bugzilla.mozilla.org/show_bug.cgi?id=1598807) providing a new incident 
report and formulating a revocation timeline.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy