136
edits
Changes
Add Certinomis Response section
''I understand that this new feature has been developped and not yet used in production, and that a human validation error has been made by an RA operator confused by the fact that the organisation was "COMMUNE LE CANNET" and by the fact that the applicant made also an error in the CSR containing a '-' instead of a '.' to separate the domain name in the FQDN (mediatheque-lecannet.fr instead of mediatheque.lecannet.fr).''
=== Certinomis Response ===
The following response to all of the issues listed herein was posted to the mozilla.dev.security.policy discussion list on 9-April:
Dear All,
Before detailing my answer, I would like to refute opinions that Certinomis does not take these subjects seriously: since February the management of Certinomis was directly involved in the exchanges with the Mozilla community, decisions were made and are implemented.
I acknowledge that I was surprised by the multiple topics that were grouped by Wayne THAYER on the CA/Certinomis issues page. I would also like to thank Wayne THAYER for his analysis of a technical point of view that distinguished different categories of problems.
For my part, my role is above all to advance the practice of Certinomis, and for this I must classify the problems according to their cause, because the best way to solve a problem is to correct its cause. And I will allow myself to structure my answer according to this classification that I made of problems, reserving for the end the Issue A (Startcom Signing) that I really did not expect to hear about.
- First cause of problems: An organization of the technical direction not adapted to the plan of charge in 2018
In 2018, Certinomis carried out several projects to renew its technical capabilities (new production site, new PKI software, adaptation to BR 1.6.5, among others). Franck as our Technical Director led all this work. And at the same time, Frank was Mozilla’s only point of contact. Inevitably there has been errors in settings (e.g. Issue F4 & F5) or incomplete corrections (Bug 1496088 comment#20 and answer that are part of Issue F3) and low reactivity (Issue B until November 2018) and perhaps editorial errors when updating PCs and DPCs (for example Issue D, rule 3.2.2.4.5 is mentioned in figures, but the description, in English, is that of rule 3.2.2.4.6)
-->Response to Cause 1:
- Action 1:
Franck’s departure was an opportunity to restructure Certinomis’ technical management with three roles for caring of SSL activity.
- an internal audit team independent of the project management is in place; the structure that ensures it has implemented a daily linting post-issuance control since April 1st, to allow us to detect without delay any possible mistake.
- An employee of the quality team of Certinomis will be designated as the main contact of the CA/B Forum and Mozilla (but not the only point of contact).
To be complete on this topic the transition between Franck and another person had been prepared during the three months following his decision to leave.
But it soon became clear that the person chosen was not fitted to the role. It is for this reason that I have resumed the discussion with Mozilla personally, and I intend to remain engaged on the subject until the situation is stabilized.
-- PKI’s project management will carry out changes, settings and corrections.
The idea is to separate those who propose the evolutions, those who realize them and those who control them. In this way each one carries out his task without being inhibited by the constraints of the other.
- Second cause of problem: insufficient syntax control for certificate request processed by Enterprise RAs.
Several problems have been reported for certificates issued for the domains "laposte.fr" and "labanquepostale.fr".
La Poste and La Banque Postale belong to the La Poste group, as well as Certinomis. For each of these two companies an external RA was set up by Certinomis, to facilitate the issuance of certificates on the two domains controlled by these two companies. The ownership of domain names and the authorisation of operators have been established beforehand.
In this context, it has recently happened that CSRs generated by technicians on their servers are inserted by the operators in the AE software and that the syntax errors they contained are not highlighted by the RA software neither detected by operators (a space in a domain name, truncated domain names, empty SANs, function names instead of geographical indications etc. (Issues F1 & F2).
Under no circumstances could these errors lead, or could lead, to the supply to an illegitimate person for this purpose of a certificate containing a real domain name.
-->Responses to Cause 2:
- Action 2: Entreprise RAs have been temporarily deactivated to allow us to correct this situation.
- Action no. 3: The action carried out as a priority was to install the pre-issuance linting. It is now operational as we committed to.
- Action 4: The next action will be to strengthen control on the locality field in these external RAs.
- Third cause of problem: human-based registration.
Several certificates were issued in good faith for testing by operators of Certinomis (Issue F3). To understand, it is necessary to know that for our other ranges of certificates, it is sometimes necessary to provide a test certificate from the production CAs, for the purpose of testing complex applications from end to end. Well, in those cases, the operator must display the word "TEST" in the significant fields; and in order that the invalidity of these certificates be even more evident to third parties who rely, we have, voluntarily, created fictitious organizations whose name is intended to make evident this fictitious character, and above all, also a fictitious organization identifier. The objective is that no one can be misled with any of these certificates.
This practice is forbidden by the CA/B Forum, I do not discuss it, and simply I explain why the operators of Certinomis could have made these errors.
Another error related to human control occurred in February 2019: the town hall of Le Cannet, client of Certinomis for several years, was mistaken in writing its application form and requested a domain name "mediatheque-lecannet.fr" instead of "mediatheque.lecannet.fr". And the Certinomis RA operator did not notice that instead of a dot there was a dash.
The employee who validated this request made an indisputable error, even though I am convinced that his vigilance would have been stronger for an unknown client.
--> Responses to cause 3:
- Action no. 5: for test certificates, the solution was to isolate the test organizations in a registration area where PTC SSL certificates are not available. This solution is now fully in place.
- Action no. 6: Certinomis has developed a function for sending e-mails in accordance with BR 1.6.5 method 3.2.2.4.4 This function will be in production by May 15, and then it will no longer be possible for a human operator to add or validate a domain name without a positive response according to 3.2.2.4.4
On these three main causes of problem, Certinomis has already started to act, certain actions have been completed (action n°2, action n°3, action n°5) one is partially completed (action n°1) and the others will be completed within a maximum of one month (action n°6) or two months (action n°4). And our efforts will not stop, other improvements are already in the works and will have to be added to our road map (implementation of method 3.2.2.4.6 for example).
I don’t want to finish this answer without going back to the A issue, the Startcom cross-sign.
I will not repeat all the history, Franck LEROY had detailed it in his e-mail of 07/08/2017 at 11.21:46 (UTC+2), but simply summarize my point of view: at no time did we in this case violate an existing rule, nor did we assist or seek to assist Startcom in circumventing the remediation plan proposed by Mozilla; on the contrary, we asked the Mozilla staff beforehand if what we wanted to do was acceptable, we clearly made it a condition for Iñigo to follow the plan and waited to be convinced that he had done so, and when, after all these precautions, we were told that we had not understood this remedial plan, we revoked both CAs without discussion.
I hadn’t heard anything about it in those two years.
So what is the factual criticism that is being made now, two years later? I don’t know about that.
And what is the link with our difficulties of this year? None!
In conclusion, I would like to remind you that Certinomis, although a modest player in the SSL business, is a respectably well-known company in France, qualified for several ranges of certificates, and which provides personal signature certificates for many organizations, large companies, ministries and local communities.
This good reputation does not justify the errors that are currently highlighted.
But this fame was not obtained by chance, and on the contrary, it is a testament to our know-how, our work and the rigour we put into it.
And I believe that considering this is likely to reassure the Mozilla community and restore its confidence: It’s true that we have been initially destabilized by the barrage of questions and bug notifications that started just after the departure of our former technical director Franck LEROY.
But the attention paid to this issue over the past three months and especially the rapid progress of our action plan show that we are taking these matters seriously and that we are able to play our role as a CA as well in the rules of the CA/B Forum than in the other rules to which we are subject.
Kind Regards,
François CHASSERY
CEO
Certinomis
