Thank you for this response Ramiro. I have copied this to the bug [1] and have described Mozilla's expectations for point-in-time audits that confirm that these issues have been resolved.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933 On Tue, Sep 4, 2018 at 5:47 AM ramirommunoz--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Wayne here you are a response to the qualified audits. As you remarks > we have include links to the previously reported bugs. We will keep you > informed about the remediation process plan. Sorry for the delay as you > know Juan Angel is the person in charge of this Work and is on vacation for > some days. > > 1- How your CA first became aware of the problem (e.g. via a problem > report submitted to your Problem Reporting Mechanism, a discussion in > mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and > the time and date. > > As a result of the annual Webtrst CA BR EV AC Camerfirma has been required > by our auditors by means a Qualified Audit Reports a series of changes. > W4CA-1. Some discrepancies between CPS and CP > > W4CA-2. Some CPs do not disclose all topics in RFC3647 > > W4CA-3. Camerfirma had issued certificates with error (already reported > https://bugzilla.mozilla.org/show_bug.cgi?id=1431164). > > W4CA-4. Camerfirma had not revoked certificates within the time frame in > accordance with the disclosed business practices (already reported > https://bugzilla.mozilla.org/show_bug.cgi?id=1390977) > > W4CA5. For a few certificates OCSP information was inconsistent between > the OCSP and CRL service under certain circumstances. > > WBR-1. No sufficient controls to ensure that the CA implements the latest > version of the Baseline Requirements. > > WBR-2. Camerfirma had issued certificates with errors according to the > CA/B Forum requirements. (Already reported > https://bugzilla.mozilla.org/show_bug.cgi?id=1431164) > > WBR-3. Investigation of Certificate Problem Reports within 24 hours. > (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977). > > WBR-4. During our procedures, we noted that for some revocation requests > the subscriber Certificates were not revoked within 24 hours. (Already > reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977). > > WBR-5. Not evidence self-assessments on at least a quarterly basis against > a randomly selected sample of at least three percent of the Certificates > issued. > > WEV-1. Camerfirma had issued certificates with errors according to the > CA/B Forum requirements. (Already reported > https://bugzilla.mozilla.org/show_bug.cgi?id=1431164) > > WEB-2. For a few certificates OCSP information was inconsistent between > the OCSP and CRL service under certain circumstances. > > WEB-3. During our procedures, we noted that for some revocation requests > the subscriber Certificates were not revoked within 24 hours. (Already > reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977). > > WEB4. Investigation of Certificate Problem Reports within 24 hours. > (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977). > > > 2- A timeline of the actions your CA took in response. A timeline is a > date-and-time-stamped sequence of all relevant events. This may include > events before the incident was reported, such as when a particular > requirement became applicable, or a document changed, or a bug was > introduced, or an audit was done. > > During the Audit process our auditors detected some differences answers > form OCSP services and CRL. > We detected some problems in the Trigger system that synchronize PKI > platform and the OCSP platform. We decided to perform a full check in the > OCSP platform and fix the inconsistences discovered. > 2018-07-14 -> Release of the Qualified Audit Report > 2018-09-20 -> CP/CPS modification & clarification published (W4CA-1 > W4CA-2 WBR-1 WBR-5) > 2018-09-10 -> Complete DDBB OCSP/PKI/CRL reviewed and fixed (W4CA-5 WEV-2) > 2018-09-17 -> technical controls and synchronization reports deployed. > (W4CA-5 WEV-2) > October-2018 -> Depending on the Auditor availability PIT Audit. > > > 3- Whether your CA has stopped, or has not yet stopped, issuing > certificates with the problem. A statement that you have will be considered > a pledge to the community; a statement that you have not requires an > explanation. > > > CP/CPS issues are certificate are not a certificate issuing problem. > OCSP/CRL We have no found new issues in our OCSP manual controls. All > certificates are correctly issued. > > > 4- A summary of the problematic certificates. For each problem: number of > certs, and the date the first and last certs with that problem were issued. > > > CP/CPS issues. Do not affect to any certificate. > OCSP/CRL issue. Certificates are issued correctly. Nevertheless we are > detecting wich certificates could have been affected by the inconsistences. > We will provide a list in the next days. > > 5- The complete certificate data for the problematic certificates. The > recommended way to provide this is to ensure each certificate is logged to > CT and then list the fingerprints or crt.sh IDs, either in the report or as > an attached spreadsheet, with one list per distinct problem. > > CP/CPS issues. Do not affect to any certificate. > OCSP/CRL issue. Certificates are issued correctly. Nevertheless we are > detecting wich certificates could have been affected by the inconsistences. > We will provide a list in the next days > > 6- Explanation about how and why the mistakes were made or bugs > introduced, and how they avoided detection until now. > > CP/DPC issues…… > W4CA-1 > This issue comes from different interpretation from the auditor about CP > and CPS. AC Camerfirma has working mainly with the CPS. AC Camerfirma CP > was written in a very basic way in order to describe in detail its activity > in the CPS. Information in CPS prevailed over CP. Nevertheless Auditors > states that Camerfirma should fix some discrepancies between them like: > Key lengths, Contact information, reuse of keys differ between CPS and CP: > From Camerfirma point of view CPS prevails. Ac Camerfirma fix this > inconsistence. > W4CA-2 > Disclose all topics of RFC 3649. Ac Camerfirma CPS is RFC 3649 compliance. > AC Camerfirma will include all topics in the CP as well. > WBR-1. > Ac Camerfirma has a more close control about changes in the CABFORUM BR > policies and modify the update CPS procedure to assure that the latest BR > version is covered by our CPS. > WBR-5. > A complete Self-assessment is made over 3% of the EV certificates, and > also over the all OV certificates (crt.sh) although the OV self-assessment > did not cover the complete investigation as the auditor’s opinion. AC > Camerfirma has changed the self-assessment procedure to include a full > investigation over the 3% of the OV as well. > OCSP/CRL Issues… > W4CA5, WEB-2 > OCSP and PKI/CRL are independent platforms and are synchronized by DDBB > triggers. This triggers are not working properly under some circumstances > (heavy traffic) and produce errors, others errors comes from behaviors when > suspend and activate certificates. > Before this audit report no manual nor technical controls about OCSP/CRL > synchronizations were installed. > > 7- List of steps your CA is taking to resolve the situation and ensure > such issuance will not be repeated in the future, accompanied with a > timeline of when your CA expects to accomplish these things. > > AC Camerfirma has made changes in the CP/CPS to fix the inconsistences > found by the auditor and will disseminate the documents and the new > procedures to avoid news problems in a future. > AC Camerfirma is working on correcting the imbalances detected and the > effective processes to ensure that the information offered by the OCSP and > the CRL is the same. > 2018-07-14 -> Qualified Audit Report > 2018-09-17 -> CPS & CP's new versions will be disclosed > New procedures and CPS/CP versions will be distributed among all affected > people in other to avoid new differences between CP/CPS > New procedures for self-assessment include full revision of OV > certificates. > Best control over changes in the BR version and modifications in AC > Camerfirma CP/CPS. > 2018-09-17 -> Finish a full review of the OCSP DDBB and synchronization > with the PKI DDBB. > 2018-09-24 -> fixed all inconsistences found. We've reviewed the complete > databases and checked the correct OCSP/PKI/CRL alignment, correcting the > problems found. > 2018-10-01 -> Technical control to avoid inconsistences. We've improving > the execution of the triggers and develop the controls that confirm their > correct operation. > 018-10-01 -> timely reports (weekly to monthly basic) to assure technical > controls are working and no new inconsistences are produced. > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
