Re: Recent Entrust Compliance Incidents

['Ben Wilson' via dev-security-policy@mozilla.org]

Added " Although not expressed in the bug, it appears that certificate
revocation was delayed as well."

On Fri, May 10, 2024 at 10:54 AM George  wrote:

> Although it was not mentioned in the original bug, it may be worth adding
> that the certificates in bug 1867130
>  were also not
> revoked within 5 days of discovery. Entrust might've based the start of the
> 5 day deadline at the time the "Director of compliance confirmed
> investigation conclusions to support team" at 2023-11-21 15:00 UTC with all
> certificates being revoked by 2023-11-26 14:50 UTC, but I don't think
> that's correct if that was the case.
>
> On Friday, May 10th, 2024 at 5:27 PM, 'Ben Wilson' via
> dev-security-policy@mozilla.org  wrote:
>
> Here are draft summaries of the additional historic incidents. I'll be
> adding these to the Entrust Issues page:
> https://wiki.mozilla.org/CA/Entrust_Issues
>
> *Invalid data in State/Province Field -*
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1658792
>
> It was initially discovered that Entrust had issued 395 OV SSL
> certificates to a large international organization with “NA” for the
> state/province information. Entrust worked on a drop-down list to prevent
> the error. Certificate revocation would not occur within established
> timeframes, so Bug #1658794 for delayed revocation was opened.
>
> *Late Revocation for Invalid State/Province Issue - *
> https://bugzilla.mozilla.org/show_bug.cgi?id=1658794
>
> This is the delayed revocation bug related to Bug #1658792, above. Entrust
> said that when educating large institutions about rapid revocation, factors
> include who owns a certificate, where it is deployed, and the type of
> system or application that requires the certificate. It also said that it
> was advocating automation with such institutions to help speed up
> certificate replacement and to minimize human error.
>
> *EV TLS Certificate incorrect jurisdiction -*
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1802916
>
> Entrust mis-issued 322 EV certificates with the wrong state and locality
> jurisdiction fields due to complex data entry processes. Entrust
> implemented a different automated dropdown system for jurisdiction
> selection. Certificate revocation would not occur within established
> timeframes, so Bug #1804753 for delayed revocation was opened.
>
> *Delayed Revocation for EV TLS Certificate incorrect jurisdiction - *
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1804753
>
> This is the delayed revocation bug related to Bug #1802916, above. Entrust
> listed 8 Subscribers who were pushing back on immediate certificate
> revocation and the reasons given (e.g. extensions granted due to
> end-of-year freezes). Entrust committed to “continue to develop and extend
> methods for automatic certificate renewal.”
>
> *Jurisdiction Locality Wrong in EV Certificate -*
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1867130
>
> Two EV TLS Certificates were mis-issued due to human error in the
> Jurisdiction Locality field. (The incident revealed 340 additional accounts
> needing similar updates.) Entrust said it would enhance its linting
> processes to include possibly using an external service to validate
> locality data against verified country data.
>
> *SHA-256 hash algorithm used with ECC P-384 key - *
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1648472
>
> A Mozilla policy was adopted to require hashing with SHA-384 for an ECC
> P-384 key. Existing CAs using SHA-256 were not re-configured when Mozilla
> adopted this policy. This incident revealed a serious gap in taking new
> requirements and implementing them. Ryan Sleevi noted that linting was just
> a safety net and not a systemic solution. Entrust was also criticized for
> the lack of detail in its incident report and its decision to not revoke
> the certificates.
>
> Entrust committed to improving its monitoring and implementation of policy
> changes to prevent similar incidents. Ryan set forth a number of proactive
> systemic corrections that Entrust needed to take, rather than taking a
> reactive stance on matters of non-compliance.
>
> Entrust committed to rigorous review of certificate profiles, browser
> policy revisions, and industry developments. As a final comment, Ryan said,
> “My big concern is, going forward, we see incident reports from Entrust
> take a more systemic, holistic response, like Comment #16, to try and cover
> the scenarios, and to provide sufficient detail about the situation and its
> failures to understand how those relate. The goal isn't to make CAs wear
> proverbial sackcloth, it's to try and make sure we're understanding how
> things go wrong, so that we can effectively collaborate on identifying
> solutions to avoid that going forward.”
>
> *Late Revocation due to SHA-256 hash algorithm - *
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1651481
>
> This bug is related to Bug #1648472. Entrust issued TLS certificates

Re: Recent Entrust Compliance Incidents

['George' via dev-security-policy@mozilla.org]

Although it was not mentioned in the original bug, it may be worth adding that 
the certificates in [bug 
1867130](https://bugzilla.mozilla.org/show_bug.cgi?id=1867130) were also not 
revoked within 5 days of discovery. Entrust might've based the start of the 5 
day deadline at the time the "Director of compliance confirmed investigation 
conclusions to support team" at 2023-11-21 15:00 UTC with all certificates 
being revoked by 2023-11-26 14:50 UTC, but I don't think that's correct if that 
was the case.

On Friday, May 10th, 2024 at 5:27 PM, 'Ben Wilson' via 
dev-security-policy@mozilla.org  wrote:

> Here are draft summaries of the additional historic incidents. I'll be adding 
> these to the Entrust Issues page: https://wiki.mozilla.org/CA/Entrust_Issues
>
> Invalid data in State/Province Field -
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1658792
>
> It was initially discovered that Entrust had issued 395 OV SSL certificates 
> to a large international organization with “NA” for the state/province 
> information. Entrust worked on a drop-down list to prevent the error. 
> Certificate revocation would not occur within established timeframes, so Bug 
> #1658794 for delayed revocation was opened.
>
> Late Revocation for Invalid State/Province Issue -
> https://bugzilla.mozilla.org/show_bug.cgi?id=1658794
>
> This is the delayed revocation bug related to Bug #1658792, above. Entrust 
> said that when educating large institutions about rapid revocation, factors 
> include who owns a certificate, where it is deployed, and the type of system 
> or application that requires the certificate.It also said that it was 
> advocating automation with such institutions to help speed up certificate 
> replacement and to minimize human error.
>
> EV TLS Certificate incorrect jurisdiction -
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1802916
>
> Entrust mis-issued 322 EV certificates with the wrong state and locality 
> jurisdiction fields due to complex data entry processes. Entrust implemented 
> a different automated dropdown system for jurisdiction selection. Certificate 
> revocation would not occur within established timeframes, so Bug #1804753 for 
> delayed revocation was opened.
>
> Delayed Revocation for EV TLS Certificate incorrect jurisdiction -
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1804753
>
> This is the delayed revocation bug related to Bug #1802916, above. Entrust 
> listed 8 Subscribers who were pushing back on immediate certificate 
> revocation and the reasons given (e.g. extensions granted due to end-of-year 
> freezes). Entrust committed to “continue to develop and extend methods for 
> automatic certificate renewal.”
>
> Jurisdiction Locality Wrong in EV Certificate -
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1867130
>
> Two EV TLS Certificates were mis-issued due to human error in the 
> Jurisdiction Locality field. (The incident revealed 340 additional accounts 
> needing similar updates.) Entrust said it would enhance its linting processes 
> to include possibly using an external service to validate locality data 
> against verified country data.
>
> SHA-256 hash algorithm used with ECC P-384 key -
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1648472
>
> A Mozilla policy was adopted to require hashing with SHA-384 for an ECC P-384 
> key. Existing CAs using SHA-256 were not re-configured when Mozilla adopted 
> this policy. This incident revealed a serious gap in taking new requirements 
> and implementing them. Ryan Sleevi noted that linting was just a safety net 
> and not a systemic solution. Entrust was also criticized for the lack of 
> detail in its incident report and its decision to not revoke the certificates.
>
> Entrust committed to improving its monitoring and implementation of policy 
> changes to prevent similar incidents. Ryan set forth a number of proactive 
> systemic corrections that Entrust needed to take, rather than taking a 
> reactive stance on matters of non-compliance.
>
> Entrust committed to rigorous review of certificate profiles, browser policy 
> revisions, and industry developments. As a final comment, Ryan said, “My big 
> concern is, going forward, we see incident reports from Entrust take a more 
> systemic, holistic response, like Comment #16, to try and cover the 
> scenarios, and to provide sufficient detail about the situation and its 
> failures to understand how those relate. The goal isn't to make CAs wear 
> proverbial sackcloth, it's to try and make sure we're understanding how 
> things go wrong, so that we can effectively collaborate on identifying 
> solutions to avoid that going forward.”
>
> Late Revocation due to SHA-256 hash algorithm -
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1651481
>
> This bug is related to Bug #1648472.Entrust issued TLS certificates using ECC 
> P-384 keys hashed with SHA-256, contrary to Mozilla policy requiring SHA-384 
> for hashing. Entrust’s initial decision was to allow 

Re: Recent Entrust Compliance Incidents

['Ben Wilson' via dev-security-policy@mozilla.org]

Here are draft summaries of the additional historic incidents. I'll be
adding these to the Entrust Issues page:
https://wiki.mozilla.org/CA/Entrust_Issues

*Invalid data in State/Province Field -*

https://bugzilla.mozilla.org/show_bug.cgi?id=1658792

It was initially discovered that Entrust had issued 395 OV SSL certificates
to a large international organization with “NA” for the state/province
information. Entrust worked on a drop-down list to prevent the error.
Certificate revocation would not occur within established timeframes, so
Bug #1658794 for delayed revocation was opened.

*Late Revocation for Invalid State/Province Issue - *
https://bugzilla.mozilla.org/show_bug.cgi?id=1658794

This is the delayed revocation bug related to Bug #1658792, above. Entrust
said that when educating large institutions about rapid revocation, factors
include who owns a certificate, where it is deployed, and the type of
system or application that requires the certificate.  It also said that it
was advocating automation with such institutions to help speed up
certificate replacement and to minimize human error.

*EV TLS Certificate incorrect jurisdiction -*

https://bugzilla.mozilla.org/show_bug.cgi?id=1802916

Entrust mis-issued 322 EV certificates with the wrong state and locality
jurisdiction fields due to complex data entry processes. Entrust
implemented a different automated dropdown system for jurisdiction
selection. Certificate revocation would not occur within established
timeframes, so Bug #1804753 for delayed revocation was opened.

*Delayed Revocation for EV TLS Certificate incorrect jurisdiction - *

https://bugzilla.mozilla.org/show_bug.cgi?id=1804753

This is the delayed revocation bug related to Bug #1802916, above. Entrust
listed 8 Subscribers who were pushing back on immediate certificate
revocation and the reasons given (e.g. extensions granted due to
end-of-year freezes). Entrust committed to “continue to develop and extend
methods for automatic certificate renewal.”

*Jurisdiction Locality Wrong in EV Certificate -*

https://bugzilla.mozilla.org/show_bug.cgi?id=1867130

Two EV TLS Certificates were mis-issued due to human error in the
Jurisdiction Locality field. (The incident revealed 340 additional accounts
needing similar updates.) Entrust said it would enhance its linting
processes to include possibly using an external service to validate
locality data against verified country data.

*SHA-256 hash algorithm used with ECC P-384 key - *

https://bugzilla.mozilla.org/show_bug.cgi?id=1648472

A Mozilla policy was adopted to require hashing with SHA-384 for an ECC
P-384 key. Existing CAs using SHA-256 were not re-configured when Mozilla
adopted this policy.  This incident revealed a serious gap in taking new
requirements and implementing them. Ryan Sleevi noted that linting was just
a safety net and not a systemic solution. Entrust was also criticized for
the lack of detail in its incident report and its decision to not revoke
the certificates.

Entrust committed to improving its monitoring and implementation of policy
changes to prevent similar incidents. Ryan set forth a number of proactive
systemic corrections that Entrust needed to take, rather than taking a
reactive stance on matters of non-compliance.

Entrust committed to rigorous review of certificate profiles, browser
policy revisions, and industry developments. As a final comment, Ryan said,
“My big concern is, going forward, we see incident reports from Entrust
take a more systemic, holistic response, like Comment #16, to try and cover
the scenarios, and to provide sufficient detail about the situation and its
failures to understand how those relate. The goal isn't to make CAs wear
proverbial sackcloth, it's to try and make sure we're understanding how
things go wrong, so that we can effectively collaborate on identifying
solutions to avoid that going forward.”

*Late Revocation due to SHA-256 hash algorithm - *

https://bugzilla.mozilla.org/show_bug.cgi?id=1651481

This bug is related to Bug #1648472.  Entrust issued TLS certificates using
ECC P-384 keys hashed with SHA-256, contrary to Mozilla policy requiring
SHA-384 for hashing. Entrust’s initial decision was to allow certificates
to expire naturally without revocation, but this was revised with a
decision to revoke all affected certificates. Entrust committed to: filing
incident report within one business day for future incidents, filing late
revocation incident reports within the required 24 hours or 5 days, as
applicable, and advising Subscribers about revocation within 24 hours or 5
days, or provide an explanation if they are unable to meet such timeframes.
Entrust was told it needed to align its revocation procedures more closely
with the Baseline Requirements and Mozilla’s policy, especially in
providing a detailed rationale for any delays in revocation on a
per-subscriber basis and ensuring timely revocation in line with the
Baseline Requirements.



On Thu, May 9, 2024 at 8:13