CA/e-commerce-monitoring Issues: Difference between revisions

The certificate transparency (CT) component of ECM’s CA software was misconfigured and lacked internal controls (allowing the creation of a CT pre-certificate containing an SCT), and it was not updated to accommodate URL changes. ECM did not revoke the mis-issued pre-certificate within 5 days. ECM’s incident reporting did not meet expected standards of detail and clarity, e.g. did not clearly explain corrective measures or their effectiveness in preventing future incidents.

Related to Bug # 1815534, it was also discovered that in an attempt to obtain a sufficient number of SCTs, ECM’s CT component submitted two pre-certificates for a single final certificate (all with the same serial number).  These two incidents exposed a lack of internal verification processes and automated checks for changes to CT log servers. ECM noted that "certificate transparency has brought a new dimension as described in the present report – the fact that also an assumed-to-exist-certificate is in scope by virtue of Mozilla Root Store Policy 5.4. This had not been properly taken into account in our interpretation and measures, respectively." https://bugzilla.mozilla.org/show_bug.cgi?id=1830536#c1

ECM became aware that it had created a pre-certificate and corresponding final certificate with different validity periods. It noted the problem and revoked both the pre-certificate and the final certificate, however selected an incorrect value for the revocationReason CRL extension. More than a month went by without acknowledging the misissuance and attempting to remediate the underlying causes. ECM discovered a bug in their system that caused the mismatched validity periods when the pre-certificate and final certificate are not issued on the same day. ECM’s incident reporting did not disclose a second occurrence related to the issue. ECM was asked several follow-up questions about the incident report. Some questions were not promptly answered because ECM apparently lacks adequate personnel to provide more timely answers. The bug indicates that ECM also needs better communication, incident reporting and incident management in order to increase transparency and community trust.

This bug was opened to record ECM’s delayed responses, inadequate incident reporting, and overall non-compliance with reporting requirements. The root causes for these failures appear to include inadequate staffing and management changes. Some of the action items to remediate these issues were to include: increased staffing, improved monitoring and alerting tools and other technological enhancements to assist staff with incident reporting, and additional training and reviews to improve compliance and operational practices.