When is a "weak key" a "compromised key"?
The BRs, s4.9.1.1, state that a CA has up to five days to revoke a certificate where: > The CA is made aware of a demonstrated or proven method that exposes the > Subscriber's Private Key to compromise, methods have been developed that > can easily calculate it based on the Public Key (such as a Debian weak > key, see http://wiki.debian.org/SSLkeys), or if there is clear evidence > that the specific method used to generate the Private Key was flawed. My intuition is that this clause is meant to encompass key generation flaws such as ROCA, in which you can identify "weak" keys by the properties of their public key. Such "weak" keys may still take some time to recover the private key given the public key, however the usual cryptographic security guarantees cannot be assumed to apply. However, the specific example given in the BRs, that of Debian weak keys, does not fit the general pattern above. As far as I am aware, there is no way to identify a Debian weak key purely by examining the properties of the public key. Debian weak keys can (only) be identified by referring to a list of keys generated using the flawed technique. Whilst you can, in theory, provide such a lookup table without also providing the private keys themselves, in practice anyone who has a lookup table will also have (access to) the full private key material. The problem is that a private key which is, for all intents and purposes, public information, is a compromised key, and should presumably come under the 24 hour revocation deadline part of s4.9.1.1. However, a Debian weak key is *explicitly* listed as coming under the five day revocation deadline. Therefore, the question I'm asking is: should Mozilla (aka the community and CA module owner and peers) make a policy decision to treat certificates issued with a known Debian weak key differently to that of the BRs, and insist on revocation within 24 hours (as a compromised key) rather than within five days (as a "Debian weak key")? Thanks, - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
ssl.com: Certificate with Debian weak key
(Pre) Certificate https://crt.sh/?id=2531502044 has been issued with a known weak key, specifically Debian weak key 2048/i386/rnd/pid17691. I believe this issuance to be in contravention of SSL.com's CPS, version 1.8, section 6.1.1.2, which states "SSL.com shall reject a certificate request if the request has a known weak Private Key". - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic
On Friday, March 6, 2020 at 12:13:49 PM UTC-6, Ryan Sleevi wrote: > Thanks Jeff, > > This is incredibly helpful to understand the approach (and limitations) > that are relevant in the context of a WebTrust report. I'm hoping our ETSI > colleagues might provide a similar level of detail, as I suspect this is > hardly "just" a WebTrust problem at this point. > > On Fri, Mar 6, 2020 at 11:51 AM jwardcpa--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > If the potential threat of a scope limitation is primarily due do an > > auditor not being able to travel to perform necessary testing, as with the > > Coronavirus, there are potential remedies for the auditor to consider, > > including, but not limited to: > > > > • Using the work of another auditor, whereby the lead auditor > > verifies the independence, qualifications and technical competency of > > another firm that can do a portion of the work, and the lead auditor > > directs the work, plans, supervises and reviews the other auditor’s work, > > taking ultimate responsibility. In this case, no mention of the other firm > > is made in the report as the lead auditor is taking responsibility for the > > other firm’s work. > > • Using technology to observe physical controls and underlying > > documents/artifacts via remote means, such as video. In this case, the > > auditor must ensure the authenticity, integrity, security and > > confidentiality of the transmission. > > > > This is incredibly helpful to understand the possibilities! Thank you for > including this. While I can understand this might not be a universal > solution, especially as the virus continues to spread, it's incredibly > helpful to know what options might be possible and available. > > If the auditor is able to design the audit plan in a manner that overcomes > > the challenges present from what otherwise would be a scope limitation, and > > can obtain satisfaction through adequate testing procedures, the auditor > > will be able to express an unqualified/unmodified (clean) opinion resulting > > in the ability to obtain the WebTrust seal. Otherwise, the auditor will > > explain what gave rise to the scope limitation and no seal will be able to > > be issued. > > CAs should work with their auditors as early as possible to identify any > > impact on the scope of their audit and communicate any issues with the > > browsers. It looks like from this thread any impact on the scope and the > > timing of the release of the audit should be documented in Bugzilla, which > > should also include the CAs incident response plan. > > > > As a follow-up: would the use of such methods (a supervised auditor, > technology based controls) be something that would be available as part of > the Detailed Reporting? My understanding is that it would be noted in such > a report, but perhaps I'm assuming too much. > > > > So what happens if a modified opinion is provided by an auditor, for > > example, because a data center in China could not be tested in the normal > > course of the examination? Then say, six months later, the data center > > becomes accessible and available for audit. Since the audit for the year > > was already issued with the qualification, as required, you would have the > > option of waiting for the next annual audit to include the data center in > > question and proceed as normal. Once again, a WebTrust audit cannot > > include a carve out of the data center, nor can a WebTrust audit be > > performed later on just the data center. Depending on the significance of > > the operations not able to be included in the scope of the most current > > audit, and depending on the needs and requirements of the users (browsers), > > a CA could undergo specified/agreed-up procedures in a separate engagement, > > or conduct a full scope WebTrust audit when possible. There ae no hard and > > fast rules for this situation and each should be treated on a case by case > > basis, with discussions including the CA, the browsers, and the auditor. > > > > Thanks again for this. It's incredibly helpful to know the limitations here > as well, such as a limited-physical-scope audit being non-viable. > > Are there limitations as to how long an audit in the past can be conducted? > That is, I'm imagining a scenario where a report is delivered, potentially > with the issues you note (qualified, adverse, disclaimer). Assuming there > comes a point in the future where the factors leading to that opinion are > eventually addressed, and access to the location again becomes possible, is > it possible to perform a full audit for the original period of time? That > is, for a CA that might have an audit period of March-to-March (and thus, > likely affected by these considerations), and the auditor is unable to > sufficiently determine to an unqualified opinion during that assessment > period (of March ~ June), is it possible to examine after-the-fact (e.g. if > the v
Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic
Thanks Jeff, This is incredibly helpful to understand the approach (and limitations) that are relevant in the context of a WebTrust report. I'm hoping our ETSI colleagues might provide a similar level of detail, as I suspect this is hardly "just" a WebTrust problem at this point. On Fri, Mar 6, 2020 at 11:51 AM jwardcpa--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > If the potential threat of a scope limitation is primarily due do an > auditor not being able to travel to perform necessary testing, as with the > Coronavirus, there are potential remedies for the auditor to consider, > including, but not limited to: > > • Using the work of another auditor, whereby the lead auditor > verifies the independence, qualifications and technical competency of > another firm that can do a portion of the work, and the lead auditor > directs the work, plans, supervises and reviews the other auditor’s work, > taking ultimate responsibility. In this case, no mention of the other firm > is made in the report as the lead auditor is taking responsibility for the > other firm’s work. > • Using technology to observe physical controls and underlying > documents/artifacts via remote means, such as video. In this case, the > auditor must ensure the authenticity, integrity, security and > confidentiality of the transmission. > This is incredibly helpful to understand the possibilities! Thank you for including this. While I can understand this might not be a universal solution, especially as the virus continues to spread, it's incredibly helpful to know what options might be possible and available. If the auditor is able to design the audit plan in a manner that overcomes > the challenges present from what otherwise would be a scope limitation, and > can obtain satisfaction through adequate testing procedures, the auditor > will be able to express an unqualified/unmodified (clean) opinion resulting > in the ability to obtain the WebTrust seal. Otherwise, the auditor will > explain what gave rise to the scope limitation and no seal will be able to > be issued. > CAs should work with their auditors as early as possible to identify any > impact on the scope of their audit and communicate any issues with the > browsers. It looks like from this thread any impact on the scope and the > timing of the release of the audit should be documented in Bugzilla, which > should also include the CAs incident response plan. > As a follow-up: would the use of such methods (a supervised auditor, technology based controls) be something that would be available as part of the Detailed Reporting? My understanding is that it would be noted in such a report, but perhaps I'm assuming too much. > So what happens if a modified opinion is provided by an auditor, for > example, because a data center in China could not be tested in the normal > course of the examination? Then say, six months later, the data center > becomes accessible and available for audit. Since the audit for the year > was already issued with the qualification, as required, you would have the > option of waiting for the next annual audit to include the data center in > question and proceed as normal. Once again, a WebTrust audit cannot > include a carve out of the data center, nor can a WebTrust audit be > performed later on just the data center. Depending on the significance of > the operations not able to be included in the scope of the most current > audit, and depending on the needs and requirements of the users (browsers), > a CA could undergo specified/agreed-up procedures in a separate engagement, > or conduct a full scope WebTrust audit when possible. There ae no hard and > fast rules for this situation and each should be treated on a case by case > basis, with discussions including the CA, the browsers, and the auditor. > Thanks again for this. It's incredibly helpful to know the limitations here as well, such as a limited-physical-scope audit being non-viable. Are there limitations as to how long an audit in the past can be conducted? That is, I'm imagining a scenario where a report is delivered, potentially with the issues you note (qualified, adverse, disclaimer). Assuming there comes a point in the future where the factors leading to that opinion are eventually addressed, and access to the location again becomes possible, is it possible to perform a full audit for the original period of time? That is, for a CA that might have an audit period of March-to-March (and thus, likely affected by these considerations), and the auditor is unable to sufficiently determine to an unqualified opinion during that assessment period (of March ~ June), is it possible to examine after-the-fact (e.g. if the virus is contained by July, in July) for the original March-to-March period? What challenges may exist for such audits that are further than 3 months from the audit period? Realizing there's no hard and fast rules, I'm aware it's perh
Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic
Certainly, situations such as the outbreak of COVID-19 (Coronavirus) provide significant business challenges, not to mention all of the heartache felt by those suffering personally. From a business standpoint, the outbreak of the Coronavirus is a reminder how fragile companies are to events out of our control. It is also appropriate to include the outbreak with natural disasters / acts of God when contemplating the necessary reaction needed. both for the enterprise, its stakeholders, auditors, etc. These types of events are also the vary reason companies adopt Business Continuity Plans / Disaster Recovery Plans. When the rubber hits the road, these plans are put to the test. Auditors are challenged on how these types of events affect the scope of the engagement, in particular the nature, timing, and extent of testing necessary to provide the assurance needed to express an opinion on the subject matter of the engagement. Depending on the circumstances of the event, auditors could be challenged with how to physically inspect documents or access essential critical security installations when travel restrictions are in place, or even faced with availability of necessary documentation/artifacts relevant to the audit that are damaged or destroyed. These scenarios can present significant challenges for the auditor in trying to cover those necessary elements needed to cover the entire scope of the examination. Ultimately, when an auditor is not able to obtain assurance on the entire scope of the engagement, and realizing a carved out approach is not permitted in a WebTrust audit, for example, when a certain data center is not able to be visited to observe controls operating and underlying documentation, the auditor will not be able to provide an unmodified/unqualified/clean opinion and the client would not be able to display the WebTrust seal. In these situations, the auditor would include an explanatory paragraph that details what gave rise to the scope limitation and issue one of the following modified opinions: • Qualified opinion (when conditions are least severe but significant enough to mention), stating an except for paragraph explaining the condition(s) arising from the scope limitation, such as not being able to test the data center. • Adverse opinion (when conditions are more severe), stating that the conditions are such that due to the severity of the scope limitation, the auditor states controls are not operating effectively and they were not able to satisfy themselves that the necessary controls were able to operate. • Disclaimer of opinion (when conditions are most severe), stating that the auditor is unable to form any opinion due to the nature of the scope limitation. If the potential threat of a scope limitation is primarily due do an auditor not being able to travel to perform necessary testing, as with the Coronavirus, there are potential remedies for the auditor to consider, including, but not limited to: • Using the work of another auditor, whereby the lead auditor verifies the independence, qualifications and technical competency of another firm that can do a portion of the work, and the lead auditor directs the work, plans, supervises and reviews the other auditor’s work, taking ultimate responsibility. In this case, no mention of the other firm is made in the report as the lead auditor is taking responsibility for the other firm’s work. • Using technology to observe physical controls and underlying documents/artifacts via remote means, such as video. In this case, the auditor must ensure the authenticity, integrity, security and confidentiality of the transmission. If the auditor is able to design the audit plan in a manner that overcomes the challenges present from what otherwise would be a scope limitation, and can obtain satisfaction through adequate testing procedures, the auditor will be able to express an unqualified/unmodified (clean) opinion resulting in the ability to obtain the WebTrust seal. Otherwise, the auditor will explain what gave rise to the scope limitation and no seal will be able to be issued. CAs should work with their auditors as early as possible to identify any impact on the scope of their audit and communicate any issues with the browsers. It looks like from this thread any impact on the scope and the timing of the release of the audit should be documented in Bugzilla, which should also include the CAs incident response plan. So what happens if a modified opinion is provided by an auditor, for example, because a data center in China could not be tested in the normal course of the examination? Then say, six months later, the data center becomes accessible and available for audit. Since the audit for the year was already issued with the qualification, as required, you would have the option of waiting for the next annual audit to include the data center in que
Re: About upcoming limits on trusted certificates
On Tuesday, March 3, 2020 at 12:28:20 PM UTC-8, Wayne Thayer wrote: > Thank you for sharing this Clint. > > I'd like to ask for input from the community: is this a requirement that we > should add to the Mozilla policy at this time (effective September 1, 2020)? Of course. And 180 days next year, and 90 the year after. LE's 90 day lifetime has already significantly improved available cert tooling and practices, time to start tightening the screws to get everybody on board. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
