CA/Responding To An Incident: Difference between revisions

Jump to navigation Jump to search

CA/Responding To An Incident (view source)

Revision as of 02:47, 16 January 2025

872 bytes added ,  16 January 2025
→‎Revocation: Replaced this Section per https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/xC8AQlMYg10/m/HaoObzSCCgAJ
(→‎Examples of Good Practice: Changed examples.)
(→‎Revocation: Replaced this Section per https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/xC8AQlMYg10/m/HaoObzSCCgAJ)
Line 29: Line 29:


= Revocation =
= Revocation =
{{Draft}}
== Mozilla’s Expectations on Revocation ==


It is normal practice for CAs to revoke misissued or otherwise problematic certificates. But that leaves the question about '''when''' this should be done, particularly if it's not possible to contact the customer immediately, or if they are unable to replace their certificate quickly. CAs should ensure that they are complying with Sections 4.9.1 through 4.9.5 of '''[https://cabforum.org/baseline-requirements-documents/ the CA/Browser Forum’s Baseline Requirements]'''.  
CA operators MUST revoke misissued or otherwise problematic TLS server certificates within 24 hours or 5 days, depending on the circumstances set forth in [https://cabforum.org/working-groups/server/baseline-requirements/requirements/#491-circumstances-for-revocation section 4.9.1] of the CA/Browser Forum’s TLS Baseline Requirements (TLS BRs). Mozilla does not grant exceptions to the revocation requirements of the TLS BRs.  


This means that, in most cases of misissuance, the CA has an obligation under the BRs to revoke the certificates concerned within 24 hours, or 5 days in some cases.
To ensure compliance with the TLS BRs, Mozilla requires that CA operators:


Mozilla recognizes that in some '''exceptional''' circumstances, revoking the affected certificates within the prescribed deadline may cause significant harm, such as when the certificate is used in critical infrastructure and cannot be safely replaced prior to the revocation deadline, or when the volume of revocations in a short period of time would result in a large cumulative impact to the web. However, Mozilla does not grant exceptions to the BR revocation requirements. It is our position that your CA is ultimately responsible for deciding if the harm caused by following the requirements of the Baseline Requirements outweighs the risks that are passed on to individuals who rely on the web PKI by choosing not to meet this requirement.
* engage in proactive communication and advise subscribers well in advance about the revocation timelines and explicitly warn them against using publicly-trusted TLS server certificates on systems that cannot tolerate timely revocation;
* include appropriate language in customer agreements requiring subscribers’ timely cooperation in meeting revocation timelines and acknowledging the CA’s obligations to adhere to applicable policies and standards;
* prepare and maintain credible plans to address mass revocation events, including detailed procedures for handling mass revocations effectively, including rapid communication with affected parties and conducting annual plan testing; and
* engage a third party assessor to evaluate whether the CA Operator has:
** credible plans to handle mass revocation events; 
** tested the operational effectiveness of the plans, including the accuracy and adequacy of documentation of plan testing, including timelines, results, and remediation steps; and 
** incorporated feedback from such exercises to improve future readiness.


If your CA will not be revoking the certificates within the time period required by the BRs, our expectations are that:
== Reporting Delayed Revocation Incidents ==


* A separate incident report will be filed in Bugzilla.
The [https://www.ccadb.org/cas/incident-report CCADB incident reporting process] ensures the Web PKI community is informed and that issues are tracked and resolved effectively. Clear and timely communication fosters trust and accountability, mitigating risks to the ecosystem.
* The decision and rationale for delaying revocation will be disclosed in the form of a preliminary incident report immediately; preferably before the BR-mandated revocation deadline. The rationale must include detailed and substantiated explanations for why the situation is exceptional. Responses similar to “we do not deem this non-compliant certificate to be a security risk” are not acceptable. When revocation is delayed at the request of specific Subscribers, the rationale must be provided on a per-Subscriber basis.
* Any decision to not comply with the timeline specified in the Baseline Requirements must also be accompanied by a clear timeline describing if and when the problematic certificates will be revoked or expire naturally, and supported by the rationale to delay revocation.
* The issue will need to be listed as a finding in your CA’s next BR audit statement.
* Your CA will work with your auditor (and supervisory body, as appropriate) and the Root Store(s) that your CA participates in to ensure your analysis of the risk and plan of remediation is acceptable.
* You will perform an analysis to determine the factors that prevented timely revocation of the certificates, and include a set of remediation actions in the final incident report that aim to prevent future revocation delays.


If your CA will not be revoking the problematic certificates as required by the BRs, then we recommend that you also contact the other root programs that your CA participates in to acknowledge this non-compliance and discuss what expectations their Root Programs have with respect to these certificates.
If a CA operator determines that it might delay revocation of certificates beyond the time period required by the TLS BRs, it MUST file a preliminary incident report with a Summary section immediately in Bugzilla, even if the delay has not yet occurred.
 
Such delayed revocation incident reports SHOULD be updated at least every 3 days and MUST be updated no less frequently than every 7 days to describe a summary of:
 
* the number of certificates that have been revoked; 
* the number of certificates that have not yet been revoked;
* the number of certificates planned for revocation that have expired; and
* an estimate for when all remaining revocations will be completed.
 
Consistent with CCADB incident reporting requirements, in the “Analysis” section, the CA operator SHALL explain in the Analysis section of the incident report those factors and rationales behind the decision to delay revocation (including detailed and substantiated explanations of how extensive harm would result to third parties–such as essential public services or widely relied-upon systems–and why the situation is exceptionally rare and unavoidable).
 
Also, the Timeline section should include the time(s) at which the CA Operator actually completed revocation of affected certificates, and the Action Items list MUST include steps reasonably calculated to prevent or reduce future revocation delays.
 
== Consequences of Delayed Revocations ==
 
Failing to meet the standards of timely revocation erodes trust in the Web PKI and poses risks to global internet security.  Delayed revocation is a measure of last resort and MUST NOT be used routinely.  Repeated incidents of delayed revocation without sufficient justification will result in heightened scrutiny and sanctions, including removal of the CA from the Mozilla Root Store. CA operators must also adhere to the policies and revocation requirements of other Root Store Programs that include their CA certificates.  Additionally, all delayed revocation incidents MUST be listed as findings in the CA operator’s next TLS BR audit statement.


= Follow-Up Actions =
= Follow-Up Actions =
Bwilson
Confirmed users
574

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1253163"

Navigation menu