Confirm
378
edits
Changes
Added Section E
'''Issues:''' Implementation/Configuration Error
-----------------------------------------------------------
== E. Issues in Recent History ==
=== 1. Invalid data in State/Province Field - ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1658792
It was initially discovered that Entrust had issued 395 OV SSL certificates to a large international organization with “NA” for the state/province information. Entrust worked on a drop-down list to prevent the error. Certificate revocation would not occur within established timeframes, so [https://bugzilla.mozilla.org/show_bug.cgi?id=1658794 Bug #1658794] for delayed revocation was opened.
'''Issues:'''
=== 2. Late Revocation for Invalid State/Province Issue - ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1658794
This is the delayed revocation bug related to [https://bugzilla.mozilla.org/show_bug.cgi?id=1658792 Bug #1658792], above. Entrust said that when educating large institutions about rapid revocation, factors include who owns a certificate, where it is deployed, and the type of system or application that requires the certificate. It also said that it was advocating automation with such institutions to help speed up certificate replacement and to minimize human error.
'''Issues:''' Delayed Revocation
=== 3. EV TLS Certificate incorrect jurisdiction - ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1802916
Entrust mis-issued 322 EV certificates with the wrong state and locality jurisdiction fields due to complex data entry processes. Entrust implemented a different automated dropdown system for jurisdiction selection. Certificate revocation would not occur within established timeframes, so [https://bugzilla.mozilla.org/show_bug.cgi?id=1804753 Bug #1804753] for delayed revocation was opened.
'''Issues:'''
=== 4. Delayed Revocation for EV TLS Certificate incorrect jurisdiction - ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1804753
This is the delayed revocation bug related to [https://bugzilla.mozilla.org/show_bug.cgi?id=1802916 Bug #1802916], above. Entrust listed 8 Subscribers who were pushing back on immediate certificate revocation and the reasons given (e.g. extensions granted due to end-of-year freezes). Entrust committed to “continue to develop and extend methods for automatic certificate renewal.”
'''Issues:''' Delayed Revocation
=== 5. Jurisdiction Locality Wrong in EV Certificate - ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1867130
Two EV TLS Certificates were mis-issued due to human error in the Jurisdiction Locality field. (The incident revealed 340 additional accounts needing similar updates.) Entrust said it would enhance its linting processes to include possibly using an external service to validate locality data against verified country data.
'''Issues:'''
=== 6. SHA-256 hash algorithm used with ECC P-384 key - ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1648472
A Mozilla policy was adopted to require hashing with SHA-384 for an ECC P-384 key. Existing CAs using SHA-256 were not re-configured when Mozilla adopted this policy. This incident revealed a serious gap in taking new requirements and implementing them. Ryan Sleevi noted that linting was just a safety net and not a systemic solution. Entrust was also criticized for the lack of detail in its incident report and its decision to not revoke the certificates.
Entrust committed to improving its monitoring and implementation of policy changes to prevent similar incidents. Ryan set forth a number of proactive systemic corrections that Entrust needed to take, rather than taking a reactive stance on matters of non-compliance.
Entrust committed to rigorous review of certificate profiles, browser policy revisions, and industry developments. As a final comment, Ryan said, “My big concern is, going forward, we see incident reports from Entrust take a more systemic, holistic response, like Comment #16, to try and cover the scenarios, and to provide sufficient detail about the situation and its failures to understand how those relate. The goal isn't to make CAs wear proverbial sackcloth, it's to try and make sure we're understanding how things go wrong, so that we can effectively collaborate on identifying solutions to avoid that going forward.”
'''Issues:'''
=== 7. Late Revocation due to SHA-256 hash algorithm - ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1651481
This bug is related to [https://bugzilla.mozilla.org/show_bug.cgi?id=1648472 Bug #1648472]. Entrust issued TLS certificates using ECC P-384 keys hashed with SHA-256, contrary to Mozilla policy requiring SHA-384 for hashing. Entrust’s initial decision was to allow certificates to expire naturally without revocation, but this was revised with a decision to revoke all affected certificates. Entrust committed to: filing incident report within one business day for future incidents, filing late revocation incident reports within the required 24 hours or 5 days, as applicable, and advising Subscribers about revocation within 24 hours or 5 days, or provide an explanation if they are unable to meet such timeframes. Entrust was told it needed to align its revocation procedures more closely with the Baseline Requirements and Mozilla’s policy, especially in providing a detailed rationale for any delays in revocation on a per-subscriber basis and ensuring timely revocation in line with the Baseline Requirements.
'''Issues:''' Delayed Revocation
