Confirm
385
edits
Changes
Initial draft of page
{{Draft}}
This page lists recent (May-June 2024) bugs involving the CA operator e-commerce monitoring. This list of issues is not comprehensive. It will be updated by Mozilla if needed, but please do not edit this page yourself. If you have proposed changes, post them to the Mozilla dev-security-policy list or email them to certificates@mozilla.org.
=== SCT in precertificate ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1815534
The certificate transparency (CT) component of ECM’s CA software was misconfigured and lacked internal controls (allowing the creation of a CT pre-certificate containing an SCT), and it was not updated to accommodate URL changes. ECM did not revoke the mis-issued pre-certificate within 5 days. ECM’s incident reporting did not meet expected standards of detail and clarity, e.g. did not clearly explain corrective measures or their effectiveness in preventing future incidents.
'''Issues:''' Certificate Misissuance; Incident Reporting; Incident Response; Delayed Revocation
=== Certificate issued with two pre-certificates ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1830536
Related to Bug # 1815534, it was also discovered that in an attempt to obtain a sufficient number of SCTs, ECM’s CT component submitted two pre-certificates for a single final certificate (all with the same serial number). These two incidents exposed a lack of internal verification processes and automated checks for changes to CT log servers. ECM committed to providing better “lessons learned” and enhanced transparency to the community.
'''Issues:''' Certificate Misissuance; Incident Reporting
=== Delayed Revocation ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1862004
Related to Bug # 1815534, it took ECM 13 days to ask whether revocation was necessary, and then actual revocation took place 51 days after initial notification. This bug was opened because of the delayed revocation. ECM was asked to provide "an analysis to determine the factors that prevented timely revocation of the certificates, and include a set of remediation actions in the final incident report that aim to prevent future revocation delays." It was also noted that the CCADB website provides a recommended incident reporting template.
Generally, ECM has not met community expectations for incident reporting because it has focused on operational details without tackling systemic, root cause issues or “lessons learned”, which would help ECM and others improve their compliance. Commenters in the bug also asked for action items to prevent delayed revocation in the future, better awareness of industry requirements, better incident reporting, and more thorough management of CP and CPS documentation.
'''Issues:''' Delayed Revocation; Incident Reporting; Policy Documentation
=== Precertificate validity does not match leaf certificate ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1883711
ECM became aware that it had created a pre-certificate and corresponding final certificate with different validity periods. It noted the problem and revoked both the pre-certificate and the final certificate, however selected an incorrect value for the revocationReason CRL extension. More than a month went by without acknowledging the misissuance and attempting to remediate the underlying causes. ECM discovered a bug in their system that caused the mismatched validity periods when the pre-certificate and final certificate are not issued on the same day. ECM’s incident reporting did not disclose a second occurrence related to the issue. ECM was asked several follow-up questions about the incident report. Some questions were not promptly answered because ECM apparently lacks adequate personnel to provide more timely answers. The bug indicates that ECM also needs better communication, incident reporting and incident management in order to increase transparency and community trust.
'''Issues:''' Certificate Misissuance; Incident Reporting; Incident Handling; Insufficient Staffing
=== CRLs with mismatched issuer ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1888371
ECM issued CRLs with issuer names that were not byte-for-byte identical to the names in the issuer fields of the certificates. The timeline for remediation of this issue was unacceptably long, which highlighted the concern that ECM was incapable of handling critical CA operations because of inadequate resource allocation.
'''Issues:''' CRL Failure; Incident Reporting; Incident Handling; Insufficient Staffing
=== Failure to follow incident report requirements ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1893546
This bug was opened to record ECM’s delayed responses, inadequate incident reporting, and overall non-compliance with reporting requirements. The root causes for these failures appear to include inadequate staffing and management changes. Some of the action items to remediate these issues were to include: increased staffing, improved monitoring and alerting tools and other technological enhancements to assist staff with incident reporting, and additional training and reviews to improve compliance and operational practices.
'''Issues:''' Incident Reporting; Incident Handling; Insufficient Staffing
This page lists recent (May-June 2024) bugs involving the CA operator e-commerce monitoring. This list of issues is not comprehensive. It will be updated by Mozilla if needed, but please do not edit this page yourself. If you have proposed changes, post them to the Mozilla dev-security-policy list or email them to certificates@mozilla.org.
=== SCT in precertificate ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1815534
The certificate transparency (CT) component of ECM’s CA software was misconfigured and lacked internal controls (allowing the creation of a CT pre-certificate containing an SCT), and it was not updated to accommodate URL changes. ECM did not revoke the mis-issued pre-certificate within 5 days. ECM’s incident reporting did not meet expected standards of detail and clarity, e.g. did not clearly explain corrective measures or their effectiveness in preventing future incidents.
'''Issues:''' Certificate Misissuance; Incident Reporting; Incident Response; Delayed Revocation
=== Certificate issued with two pre-certificates ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1830536
Related to Bug # 1815534, it was also discovered that in an attempt to obtain a sufficient number of SCTs, ECM’s CT component submitted two pre-certificates for a single final certificate (all with the same serial number). These two incidents exposed a lack of internal verification processes and automated checks for changes to CT log servers. ECM committed to providing better “lessons learned” and enhanced transparency to the community.
'''Issues:''' Certificate Misissuance; Incident Reporting
=== Delayed Revocation ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1862004
Related to Bug # 1815534, it took ECM 13 days to ask whether revocation was necessary, and then actual revocation took place 51 days after initial notification. This bug was opened because of the delayed revocation. ECM was asked to provide "an analysis to determine the factors that prevented timely revocation of the certificates, and include a set of remediation actions in the final incident report that aim to prevent future revocation delays." It was also noted that the CCADB website provides a recommended incident reporting template.
Generally, ECM has not met community expectations for incident reporting because it has focused on operational details without tackling systemic, root cause issues or “lessons learned”, which would help ECM and others improve their compliance. Commenters in the bug also asked for action items to prevent delayed revocation in the future, better awareness of industry requirements, better incident reporting, and more thorough management of CP and CPS documentation.
'''Issues:''' Delayed Revocation; Incident Reporting; Policy Documentation
=== Precertificate validity does not match leaf certificate ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1883711
ECM became aware that it had created a pre-certificate and corresponding final certificate with different validity periods. It noted the problem and revoked both the pre-certificate and the final certificate, however selected an incorrect value for the revocationReason CRL extension. More than a month went by without acknowledging the misissuance and attempting to remediate the underlying causes. ECM discovered a bug in their system that caused the mismatched validity periods when the pre-certificate and final certificate are not issued on the same day. ECM’s incident reporting did not disclose a second occurrence related to the issue. ECM was asked several follow-up questions about the incident report. Some questions were not promptly answered because ECM apparently lacks adequate personnel to provide more timely answers. The bug indicates that ECM also needs better communication, incident reporting and incident management in order to increase transparency and community trust.
'''Issues:''' Certificate Misissuance; Incident Reporting; Incident Handling; Insufficient Staffing
=== CRLs with mismatched issuer ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1888371
ECM issued CRLs with issuer names that were not byte-for-byte identical to the names in the issuer fields of the certificates. The timeline for remediation of this issue was unacceptably long, which highlighted the concern that ECM was incapable of handling critical CA operations because of inadequate resource allocation.
'''Issues:''' CRL Failure; Incident Reporting; Incident Handling; Insufficient Staffing
=== Failure to follow incident report requirements ===
https://bugzilla.mozilla.org/show_bug.cgi?id=1893546
This bug was opened to record ECM’s delayed responses, inadequate incident reporting, and overall non-compliance with reporting requirements. The root causes for these failures appear to include inadequate staffing and management changes. Some of the action items to remediate these issues were to include: increased staffing, improved monitoring and alerting tools and other technological enhancements to assist staff with incident reporting, and additional training and reviews to improve compliance and operational practices.
'''Issues:''' Incident Reporting; Incident Handling; Insufficient Staffing
